Critical Microsoft Exchange ZeroDay – CVE-2022-41040 Server-Side Request Forgery (SSRF)
2 min readMicrosoft Exchange Server Elevation of Privilege Vulnerability
Risk: Critical
CVE ID: CVE-2022-41040
CVE Score: 6.3 8.8
CWE-ID:
Impacted Product: Microsoft Exchange Server 2013, 2016, and 2019
Published Date: 30 Sep 2022
Updated: 03 Oct 2022
Vulnerability Threat & Description:
The disclosed vulnerability allows a remote user to perform SSRF attacks. The vulnerability exists due to insufficient validation of user-supplied input within the Exchange OWA interface. A remote user can send a specially crafted HTTP request and trick the application to initiate requests to arbitrary systems. Successful exploitation of this vulnerability may allow a remote attacker to execute arbitrary code on the target system.
CVE-2022-41040 is an authenticated server-side request forgery vulnerability in Microsoft Exchange Servers that was assigned a CVSSv3 score of 6.3 by ZDI. The exploitation of CVE-2022-41040 could allow an attacker to exploit CVE-2022-41082.
Note, the vulnerability is being actively exploited in the wild.
Note, the vulnerability is being actively exploited in the wild.
Remediation Level
No Patch Available yet, Microsoft has provided a workaround
According to Microsoft; Exchange Online customers do not need to take any action
Mitigation
This is a copy of the Mitigation method been provided by Microsoft.
The current mitigation is to add a blocking rule in “IIS Manager -> Default Web Site -> Autodiscover -> URL Rewrite -> Actions” to block the known attack patterns.
Microsoft created the following script for the URL Rewrite mitigation steps: https://aka.ms/EOMTv2
Customers can also instead follow the below instructions, which are currently being discussed publicly and are successful in breaking current attack chains.
- Open the IIS Manager.
- Select Default Web Site.
- In the** Feature View**, click URL Rewrite.
- In the Actions pane on the right-hand side, click Add Rules….
- Select** Request Blocking** and click OK.
- Add the string “.autodiscover.json.*@.*Powershell.” (excluding quotes) and then click OK.
- Expand the rule and select the rule with the pattern “autodiscover.json.*@.*Powershell.” and click Edit under Conditions.
- Change the Condition input from {URL} to {REQUEST_URI}
NOTE: If you need to change any rule it is best to delete and recreate it.
Impact: There is no known effect on Exchange functionality if URL Rewrite is installed as recommended.
Attack Vector: Network (AV:N)
Authentication requested: Yes, the attacker must be authenticated (PR:L)
Privileges Required: Low: According to the CVSS metric, privileges required is low (PR:L)
Patch Available: No, Microsoft is still investigating
Public Exploit available: Yes (Proof-of Concept)
Attack Complexity: Low
User Interaction: None (UI:N)
Impact on:
• Confidentiality: High
• Integrity: High
• Availability: High
Expected Attack type: remote code execution. The attacker for this vulnerability could target the server accounts in an arbitrary or remote code execution. As an authenticated user, the attacker could attempt to trigger malicious code in the context of the server’s account through a network call.
More Info:
WARNING: NEW ATTACK CAMPAIGN UTILIZED A NEW 0-DAY RCE VULNERABILITY ON MICROSOFT EXCHANGE SERVER
https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-41040