mickmick.net

Microsoft Exchange Zero-day Remote Code Execution Vulnerabilities

Last Update Date: 30 Sep 2022 17:00 Release Date: 30 Sep 2022

RISK: High Risk

TYPE: Servers - Other Servers

Multiple vulnerabilities have been identified in Microsoft Exchange. A remote user can exploit some of these vulnerabilities to trigger remote code execution on the targeted system.

 

Notes: No patch is currently available.

 

[Updated on 2022-09-30] Microsoft stated that the two vulnerabilities were used for limited targeted attacks into users’ systems, the Risk Level has updated to High Risk.

---

Impact

• Remote Code Execution

---

System / Technologies affected

• Microsoft Exchange Server 2013
• Microsoft Exchange Server 2016
• Microsoft Exchange Server 2019

---

Solutions

Workaround:

Reduce the vulnerability of attacks by adding a rule to block requests with indicators of attack through the URL Rewrite Rule module on IIS server.

 

1. In Autodiscover at FrontEnd, select tab URL Rewrite, and then Request Blocking.
2. Add string “.*autodiscover\.json.*\@.*Powershell.*“ to the URL Path.
3. Condition input: Choose {REQUEST_URI}

---

Vulnerability Identifier

• CVE-2022-41040
• CVE-2022-41082

---

Source

• Bleeping Computer
• GTSC

---

Related Link

• https://msrc-blog.microsoft.com/2022/09/29/customer-guidance-for-reported-zero-day-vulnerabilities-in-microsoft-exchange-server/
• https://www.bleepingcomputer.com/news/security/new-microsoft-exchange-zero-day-actively-exploited-in-attacks/
• https://www.gteltsc.vn/blog/warning-new-attack-campaign-utilized-a-new-0day-rce-vulnerability-on-microsoft-exchange-server-12715.html