Latest update: Microsoft has updated its mitigation for the flaw. Implement it. [265 words]
What: Two zero-day vulnerabilities exist in Microsoft Exchange Server 2013, 2016 and 2019. One of the flaws CVE-2022-41040, is a Server-Side Request Forgery (SSRF) vulnerability. The other is CVE-2022-41082, allows Remote Code Execution (RCE) via PowerShell. Both vulnerabilities require an attacker to already have authenticated access to a target network.
How Microsoft has responded: Microsoft has issued mitigations for the two flaws and is working on releasing patches for it soon.
Why it matters: GTSC the Vietnamese firm that discovered the bugs said it has observed—and Microsoft has confirmed—attackers actively exploiting the flaws to remotely execute code on compromised systems. In these attacks, threat actors are chaining the two vulnerabilities to drop web shells and establishing footholds for future attacks on compromised systems. The vulnerabilities can be used alone or chained to other flaws.
The need for speed: The attacks so far appear to be a variant of the ProxyShell exploit chain which targeted on-premises Microsoft Exchange Servers. Thousands of Microsoft Exchange Servers were believed impacted in those attacks. Some 191,000 Exchange Servers remain exposed to the Internet via port 443 as of early September, according to Rapid7 Labs. You are at heightened risk of compromise if your organization is one of them.
The details:
The vulnerabilities : https://gteltsc.vn/blog/warning-new-attack-campaign-utilized-a-new-0day-rce-vulnerability-on-microsoft-exchange-server-12715.html
Microsoft’s blog and response: https://msrc-blog.microsoft.com/2022/09/29/customer-guidance-for-reported-zero-day-vulnerabilities-in-microsoft-exchange-server/
Additional reading: Rapid7 Blog for vulnerability details and CSO Online for how Microsoft’s mitigations can be bypassed.