Nynox advisory - Threat alert -
(CVE-2022-41040 & CVE-2022-41082)
– Date: 4 October 2022 –
Is your Exchange server exposed to the internet? Keep reading. Your company may be at risk. Last week Microsoft confirmed a zero-day exploit of Microsoft Exchange. This zero-day uses a specific path to access a component in the Exchange backend and perform remote code execution.
What is it about?
❗️The exploit consists of two vulnerabilities: The first one (CVE-2022-41040), a Server-Side Request Forgery (SSRF), can enable an authenticated attacker to remotely trigger the second one (CVE-2022-41082), remote code execution (RCE) when PowerShell is accessible.
❗️Authenticated access to the vulnerable Exchange Server is necessary to exploit either vulnerability successfully.
❗️Attackers can exploit these vulnerabilities separately.
How does it work?
⚙️ An attacker sends a malicious HTTP request to the internet-facing Exchange On-Prem server with a link with Powershell embedded.
⚙️ The attacker can execute code remotely and open a web shell on the Exchange server
⚙️ Once access is granted, the attacker can run commands to infiltrate your environment further
⚙️ These vulnerabilities require authentication
⚠️ Keep in mind that malicious actors can acquire user credentials through attacks, such as password spray or purchasing them in black markets.
Why is this vulnerability serious?
⚠️ Attackers can execute it on public-facing Exchange servers on port 443
⚠️ Various Exchange servers are published to the internet through port 443 to allow users to access their emails (OWA).
⚠️ The attacker can execute code remotely to compromise your environment
⚠️ There are no patches out yet
How does Nynox protect its customers?
🛡️ 24×7 monitoring of the onboarded Exchange devices
🛡️ Free threat hunting for SOC customers based on the indicators for this attack
🛡️ Personalized assistance to mitigate the risk
🛡️ 24×7 Incident Response (CSIRT) in case of compromise
What can you do to mitigate the risk?
✅ Mitigations to be implemented are currently being discussed publicly and successfully break current attack chains. Check the Comments section for detailed steps.
But what if you can’t?
✅ Check if your Next-Generation Firewall or WAF has signatures to prevent this attack. Doing so will allow you to apply virtual patching
✅ Contemplate limiting the access of your Exchange server as much as possible. You could restrict public access to specific Public IPs or countries
✅ Contemplate closing port 443 for incoming communications in your Exchange server