Microsoft Exchange server zero-day mitigation can be bypassed

Last week, Microsoft confirmed that two zero-day vulnerabilities in Microsoft Exchange recently disclosed by researchers at cybersecurity firm GTSC are being actively exploited in the wild.

The first flaw, tracked as CVE-2022-41040, is a Server-Side Request Forgery (SSRF) issue. The second vulnerability, tracked as CVE-2022-41082, allows remote code execution (RCE) when PowerShell is accessible to the attacker.

Successful exploitation of the CVE-2022-41040 can allow an authenticated attacker to remotely trigger CVE-2022-41082.

RCE chain

In GTSC’s original security advisory, researchers said they discovered an attack on “critical” infrastructure made through Exchange Server in August.

The first vulnerability, CVE-2022-41040 (CVSS 8.8), is a server-side request forgery (SSRF) issue. When triggered remotely to launch CVE-2022-41082 (CVSS 6.3), the bug could result in remote code execution (RCE).

Mitigation

Microsoft confirmed the two issues on Friday and said it was aware of “limited targeted attacks” exploiting them.

As part of a recommendation, Microsoft shared mitigations for on-premises servers and a strong recommendation for Exchange Server customers to “disable remote PowerShell access for non-admin users” in the organization.”

To reduce the risk of exploitation, Microsoft suggested blocking known attack patterns with a rule in IIS Manager:

Open IIS Manager.
Choose default site.
In the **Functions View**, click URL rewrite.
In which Actions pane on the right, click Add Rules….
Select **Request Block** and click on it OK.
Add the string “.autodiscover.json.*@.*Powershell.‘ (without the quotation marks) and then click OK.
Expand the rule and select the rule with the pattern “autodiscover.json.*@.*Powershell.‘ and click Edit under conditions.
change that condition input from {URL} to {REQUEST_URI}