Pierluigi Paganini October 04, 2022

The mitigation shared by Microsoft for the two recently disclosed Exchange zero-day vulnerabilities can be bypassed, expert warns.

Last week, Microsoft confirmed that two zero-day vulnerabilities in Microsoft Exchange recently disclosed by researchers at cybersecurity firm GTSC are being actively exploited in the wild.

The first flaw, tracked as CVE-2022-41040, is a Server-Side Request Forgery (SSRF) issue. The second vulnerability, tracked as CVE-2022-41082, allows remote code execution (RCE) when PowerShell is accessible to the attacker.  

Successful exploitation of the CVE-2022-41040 can allow an authenticated attacker to remotely trigger CVE-2022-41082. 

“At this time, Microsoft is aware of limited targeted attacks using the two vulnerabilities to get into users’ systems.  In these attacks, CVE-2022-41040 can enable an authenticated attacker to remotely trigger CVE-2022-41082. It should be noted that authenticated access to the vulnerable Exchange Server is necessary to successfully exploit either of the two vulnerabilities.” reads the advisory published by Microsoft.

Microsoft announced that it is working to accelerate the timeline to release a fix that addresses both issues. Meantime, the company provided the mitigations and detection guidance to help customers protect themselves from these attacks. 

Microsoft states that Microsoft Exchange Online Customers do not need to take any action, while it provided mitigation for on-premises Microsoft Exchange customers which are the same shared by GTSC.

“We are working on an accelerated timeline to release a fix. Until then, we’re providing the mitigations and detections guidance below to help customers protect themselves from these attacks,” Microsoft added.

Below is the step-by-step procedure provided by Microsoft to mitigate the risk of exploitation for the above issues:

1. Open the IIS Manager.
2. Expand the Default Web Site.
3. Select Autodiscover.
4. In the Feature View, click URL Rewrite.
5. In the Actions pane on the right-hand side, click Add Rules.
6. Select Request Blocking and click OK.
7. Add String “.*autodiscover\.json.*\@.*Powershell.*” (excluding quotes) and click OK.
8. Expand the rule and select the rule with the Pattern “.*autodiscover\.json.*\@.*Powershell.*” and click Edit under Conditions.
9. Change the condition input from {URL} to {REQUEST_URI}

Microsoft also recommends customers block the following Remote PowerShell ports:

1. HTTP: 5985
2. HTTPS: 5986

Microsoft also recommends Exchange Server customers disable remote PowerShell access for non-admin users in the organization.

BleepingComputer reported that researcher Jang has first warned that Microsoft’s mitigations can be easily bypassed with little effort.

Researchers at GTSC published a video PoC to demonstrate how to bypass the mitigation for the two vulnerabilities.

The popular CERT/CC vulnerability analyst Will Dormann also confirmed that the mitigation can be easily bypassed.

The researchers suggested trying “.*autodiscover\.json.*Powershell.*” instead of URL block mitigations shared by the IT giant.

Follow me on Twitter: @securityaffairs and Facebook

Pierluigi Paganini

(SecurityAffairs – hacking, Microsoft Exchange)

[adrotate banner=”5″]

[adrotate banner=”13″]