[German]The 0-day vulnerability ZDI-CAN-18333 in Microsoft's on-premises Exchange Servers (2013, 2016 and 2019) became public at the end of September. The vulnerabilities (CVE-2022-41040, CVE-2022-41082) are already being exploited in the wild. Now Microsoft is rolling out URI rewrite rules via EMS for protection. Furthermore, wrong suggestions in the Microsoft support articles published in the meantime have been amended, and there are scripts for checking and securing Exchange installations. Here is an overview of the latest developments.
The 0-day vulnerability ZDI-CAN-18333
As of Sept. 29, 2022, I had reported on the 0-day vulnerability ZDI-CAN-18333 in the blog post Exchange Servers are attacked via 0-day exploit (Sept. 29, 2022). Microsoft Exchange Server 2013, 2016 and 2019 are vulnerable to two unpatched zero-day vulnerabilities CVE-2022-41040 (Server-Side Request Forgery) and CVE-2022-41082 (Remote Code Execution via PowerShell).
However, an attacker needs authenticated access to the vulnerable Exchange Server to successfully exploit either vulnerability. Microsoft had then published a support post on September 29, 2022 with guidance on how to detect a successful attack as well as how to protect against such attacks. I had reported Microsoft's recommendations for the Exchange Server in the blog post Microsoft's recommendations for Exchange Server 0-day vulnerability ZDI-CAN-18333.
However, it quickly became apparent that Microsoft's claims about mitigating the attack were flawed. Blog readers left some comments about this in the blog posts linked above. Therefore, the blog readership was able to successfully set the URI rewrite rule for Exchange Server.
Microsoft's fixes
German blog reader Robert points out in this comment that Microsoft has corrected its (erroneous) information on mitigating the URI rewrite pattern.
Quick update: something is happening at Microsoft….
A Powershell script was released by MS, which does everything automatically.
In addition, MS has now finally corrected the thing with the RegEx and has now also ENHANCED the protection: no longer affects only the Virt. Dir. Autodiscover, but MS applies the URL Rewrite now to the COMPLETE Default WebSite.
Microsoft has again fundamentally revised the blog post Customer Guidance for Reported Zero-day Vulnerabilities in Microsoft Exchange Server. A link to the article Analyzing attacks using the Exchange vulnerabilities CVE-2022-41040 and CVE-2022-41082, which was published in the Microsoft Security Blog on September 30, 2022, was added. There you can find a further analysis of the vulnerabilities and the resulting threats.
Exchange: 0-day attack via vulnerability ZDI-CAN-18333
Attackers need authentication to see a malicious http request on port 443 to Exchange. Then they can exploit the two vulnerabilities to install a web shell as a backdoor and perform other activities. In the article above, there are now more hints on how to mitigate the two vulnerabilities, as well as the hint that Windows Defender for Endpoint now detects the activities after the initial attack. In addition, the Antimalware Scan Interface (AMSI) introduced in Exchange supports detection of the malicious features. However, AMSI is likely to be disabled on some Exchange systems due to problems (see Exchange 2016/2019: Outlook problems due to AMSI integration).
EMS sets blocking rule automatically
Microsoft had introduced the Exchange Server Emergency Mitigation Service (EMS) per CU in September 2021 (see Exchange Server September 2021 CU comes Sept. 28 with Microsoft Exchange Emergency Mitigation Service). This should allow Microsoft to dynamically respond to threats from 0-day vulnerabilities by, for example, automatically setting URI rewrite rules to block attacks (see also this Microsoft post).
On my blogs, users had asked several times in comments why Microsoft was not using this mechanism. I had pointed out that the developers might need a few hours to implement and test the corresponding rules. That seems to have happened now. Gero wrote already this morning (October 1, 2022) in this German comment:
Good morning,
on our 2016 the EM service automatically created the rule on the default web site tonight.
Finally….
Microsoft has confirmed here that the functionality in question will be rolled out automatically for customers who use EMS on their Exchange for protection.
For customers who have the Exchange Server Emergency Mitigation Service (EMS) enabled, Microsoft released the URL Rewrite mitigation for Exchange Server 2016 and Exchange Server 2019. The mitigation will be enabled automatically. Please see this blog post for more information on this service and how to check active mitigations.
Applies to Exchange Server 2016 and Exchange Server 2019 with EMS enabled. There, the URL rewrite blocking rule is automatically rolled out and enabled. If the rule was set up manually, you should check if it's still valid.
Mitigation via script
German blog reader Robert had pointed out in this comment that Microsoft also provides a PowerShell script that automatically enters the URL rewrite blocking rule in Exchange. Microsoft has published the PowerShell script that automatically performs the steps for the URL rewrite blocking rule – in order to mitigate the security vulnerabilities. In the article Exchange On-premises Mitigation Tool v2 (EOMTv2) you can find relevant information about what the script does to protect against the vulnerabilities and what requirements are necessary. The PowerShell script also has a rollback function to roll back the so-called mitigation.
A 0-day checker tool
The Viet Nam Cybersecurity Emergency Response Teams/Coordination Center (VNCERT/CC) has also released a 0-day checker tool that can be used to check an Exchange Server for vulnerability exploitability. This is according to the following tweet:
The project runs under MIT license and is available on GitHub. However, everyone has to decide for themselves whether to run the provided .exe files from this source on their Exchange Server. Virustotal reports no detections and the VNCERT-CC has published the source code of the checker tool.
Article series:
Exchange Servers are attacked via 0-day exploit (Sept. 29, 2022)
Microsoft's recommendations for Exchange Server 0-day vulnerability ZDI-CAN-18333
Update on Exchange Server 0-day Vulnerability ZDI-CAN-18333: Fixes, Scripts and EMS Solution
Exchange Server: Microsoft updates it's mitigation for the 0-day ProxyNotShell vulnerability (October 5, 2022)
Exchange Server: Microsofts improves solutions for 0-day mitigation again (October 8, 2022)
Similar articles:
Exchange Update errors and information (April 13, 2021)
Exchange isues with ECP/OWA search after installing security update (March 2021)
Exchange 2016/2019: Outlook problems due to AMSI integration
Exchange Server September 2021 CU comes Sept. 28 with Microsoft Exchange Emergency Mitigation Service
Exchange Server 2016-2019: Custom attributes in ECP no longer updatable after CU installation (July 2021)
Exchange Server 2013: Microsoft's tips on decommissioning the systems
Update for Exchange Extended Protection script, but still error
Tip: Exchange Health Checker – Script extensions by Frank Zöchling
