This is a follow up to notifications we sent out regarding the potential for attackers to obtain Remote Control Execution (RCE) access to on-premise and hybrid Microsoft Exchange servers by leveraging CVE-2022-41082. This notification currently effects:
Please note this is for organizations that maintain Microsoft Exchange on premise servers or a hybrid configuration.
This is not a notification of activity we are currently seeing on networks being monitored by Critical Insight.
Back in October 2022, Microsoft recommended mitigation of CVE-2022-41082 by creating a rule to block URL Rewrites. Recently, both Rapid7 and Crowdstrike have noted and responded to attackers performing bypasses to the URL rewrite mitigations through the privilege escalation vulnerabilities in OWA (CVE-2022-41080), allowing attackers to chain this vulnerability with CVE-2022-41082 to achieve privileged access.
CVE-2022-41080 – Microsoft Exchange Server Escalation of Privilege Server Side Request Forgery (SSRF) vulnerability in Autodiscover endpoint of Microsoft Exchange Outlook Web Access (OWA)
CVSSv3: 9.8
CVE-2022-41082 – Remote Code Execution (RCE) that allows RCE when PowerShell is accessible to the attacker.
CVSSv3: 8.8
IOCs noted by these companies include PowerShell being spawned by IIS (w3wp.exe) to create outbound network connections to:
Mitigations:
Microsoft addressed this vulnerability with a patch for Exchange Servers 2013, 2016, and 2019 on November 8, 2022 – KB5019758.
Critical Insight recommends testing and deploying this patch as soon as you are able as OWA on these Exchange versions, in the unpatched state, are vulnerable to CVE-2022-41080.
Additional recommendations from Microsoft include:
Additional Information:
Microsoft analysis and guidance: https://www.microsoft.com/en-us/security/blog/2022/09/30/analyzing-attacks-using-the-exchange-vulnerabilities-cve-2022-41040-and-cve-2022-41082/