On Wednesday, October 5, 2022, Microsoft published updated mitigation guidance for two zero-day vulnerabilities in Microsoft Exchange Server: CVE-2022-41040 (SSRF vulnerability) and CVE-2022-41082 (RCE vulnerability). Arctic Wolf covered initial assessments on this blog post. Organizations that run Microsoft Exchange on-prem or in a hybrid model should complete both Microsoft provided mitigations to reduce the potential for successful exploitation. Exchange Online customers are not affected and do not need to take action. Organizations who have the Exchange Emergency Mitigation Service (EEMS) enabled, the mitigation is enabled automatically for Exchange Server 2016 and Exchange Server 2019 with the latest Cumulative Update. The URL Rewrite mitigation is updated to include the URL Rewrite rule improvement. Note: Threat actors may still be able to bypass the updated URL rewrite; security researchers have reported sightings of threat actors bypassing the latest mitigation improvements by encoding portions of the request URI.
Security researchers have observed intrusions that chained the two vulnerabilities together to achieve remote code execution (RCE). Since the initial publication of GTSC’s blog, we have observed multiple IP addresses scanning for Microsoft Exchange Servers vulnerable to the two zero-day CVEs. RecommendationsRecommendation #1: Run the Exchange On-premises Mitigation Tool v2 (EOMTv2) to Mitigate CVE-2022-41040Microsoft created a PowerShell script (EOMTv2.ps1) for the URL rewrite mitigation steps, which includes the mitigation improvements. The script must be executed on each individual server. Download and run the provided script from Microsoft’s Github: EOMTv2.ps1 version number 22.10.03.1829. Requirements to run EOMTv2:
If your Exchange on-premises does not meet the requirements to run EOMTv2, manually follow Microsoft’s instructions on applying the URL Rewrite rule. Instructions provided by Microsoft are below (more details here):
Note: Microsoft has stated there is no known impact to Exchange functionality if the URL Rewrite module is installed as recommended. Recommendation #2: Disable Remote PowerShell Access for Non-AdminsPractice the principle of least-privilege when configuring your Microsoft Exchange Server. Disable remote PowerShell access for all non-admin users within your environment. For additional guidance follow Microsoft’s Control Remote PowerShell Access to Exchange Servers documentation. References:
Steven CampbellSteven Campbell is a Threat Intelligence Researcher at Arctic Wolf Labs and has more than eight years of experience in intelligence analysis and security research. He has a strong background in infrastructure analysis and adversary tradecraft. |