Microsoft Updates Mitigation for Exchange Server Zero-Days

Researchers had discovered that Microsoft's original mitigation steps for the so-called "ProxyNotShell" flaws was easily bypassed.

Microsoft today updated its mitigation measures for two recently disclosed and actively exploited zero-day vulnerabilities in its Exchange Server technology after researchers found its initial guidance could be easily bypassed.

Microsoft's original mitigation for the two vulnerabilities -- CVE-2022-41040 and CVE-2022-41082 — was to apply a blocking rule to a specific URL path using the URL Rewrite Module on IIS Server. According to the company, adding the string ".*autodiscover\.json.*\@.*Powershell.*" would help block known attack patterns against the vulnerabilities.

However, security researchers — including Vietnam-based security researcher Jang, Kevin Beaumont, and others — had noted that attackers can easily bypass Microsoft-recommended mitigation to exploit the vulnerabilities. "The '@' in the Microsoft-recommended ".*autodiscover\.json.*\@.*Powershell.*" URL block mitigations for CVE-2022-41040 [and] CVE-2022-41082 seems unnecessarily precise, and therefore insufficient," security researcher Will Dormann said in a tweet. "Probably try ".*autodiscover\.json.*Powershell.*" instead," he wrote.

The CERT Coordination Center at Carnegie Mellon University appeared to echo the recommendation in its note about the vulnerabilities. "The recommended block pattern is ".*autodiscover\.json.*Powershell.* (excluding the @ symbol) as a regular expression to prevent known variants of the #ProxyNotShell attacks," CERT said.

Updated Guidance 

On Tuesday, after more than a day of silence on the issue, Microsoft updated its guidance to reflect the change that the security researchers had suggested (.*autodiscover\.json.*Powershell.*). "Important updates have been made to the Mitigations section improving the URL Rewrite rule," Microsoft said. "Customers should review the Mitigations section and apply one of these updated mitigation options."

The blocking rule has been updated and enabled automatically for organizations that have enabled Microsoft's Exchange Emergency Mitigation Service. Microsoft has also updated a script that organizations could use to enable the URL Rewrite mitigation measure, and updated its step-by-step guidance on how to apply the rule for organizations that want to implement the mitigation manually. Microsoft has also strongly recommended that Exchange Server customer disable remote PowerShell access for nonadministrative users.

Microsoft originally released mitigation guidance on Sept. 30, following the public disclosure of CVE-2022-41040 and CVE-2022-41082, two vulnerabilities in Exchange Server that it said were being used in a limited number of targeted attacks since August 2022. The flaws affect on-premises versions of Microsoft Exchange Server 2013, 2016, and 2019 that are exposed to the Internet. The US Cybersecurity and Infrastructure Agency (CISA) has described the vulnerabilities as giving attackers a way to take control of an affected system

A map of devices from the Shodan search engine that security researcher Beaumont generated this week shows tens of thousands of systems around the world that appear to be running vulnerable versions of Exchange Server. 

Microsoft said customers of Microsoft Exchange Online are protected and therefore don't need to take any action — an assertion that Beaumont has challenged. "Even if you're Exchange Online, if you migrated and kept a hybrid server (a requirement until very recently) you are impacted," Beaumont noted. Beaumont has labeled the vulnerabilities as "ProxyNotShell" because the exploit process and Microsoft's mitigations are very similar to that associated with last year's ProxyShell vulnerabilities in Exchange Server.

Microsoft is currently working on a fix for the two vulnerabilities.

Common Issue

"It is common for fixes to not be complete," says David Lindner, CISO at Contrast Security. "We have not verified the bypasses, but it is common for a back and forth to happen between exploit and fix until the true root cause is resolved." He points to the initial fixes for the Log4Shell vulnerability in Apache's Log4j logging frame as one example. "Over the course of a couple of weeks, there were multiple renditions trying to resolve the root of the issue," he notes.

CVE-2022-41040 is a server-side request forgery (SSRF) flaw that enables attackers to elevate privileges on a compromised system, and CVE-2022-41082 is a remote code execution flaw when PowerShell is remotely accessible to the attacker. Microsoft said it had detected a single threat actor using CVE-2022-41040 to remotely trigger CVE-2022-41082 and install a Web shell called Chopper on vulnerable systems that enabled them to steal data and conduct Active Directory reconnaissance. Chopper is a Web shell that has been previously associated with Chinese threat actors.

The flaws can be chained together in an attack — as happened with the threat actor that Microsoft observed — or used separately. In both instances, however, an attacker would need to be authenticated, even if it is only at the level of a standard user, to exploit the vulnerabilities, Microsoft said. Singapore-based security firm GTSC, discovered the two flaws and, in coordination with Trend Micro's Zero Day Initiative, reported the bugs to Microsoft.