2 New Exchange Zero-Day Vulnerabilities

Incident Report for Ascend Security Events

Resolved

This incident has been resolved.

Posted Oct 14, 2022 - 06:52 CDT

Update

Microsoft has updated their recent mitigation measures for the vulnerabilities.

It is noted that it's best to delete and re-create versus changing if you had the previous rules in place.

The update steps are as follows:
1. Open the IIS Manager
2. Expand the Default Web Site
3. Select Autodiscover
4. In the Feature View, click URL Rewrite
5. In the Actions pane on the right-hand side, click Add Rules
6. Select Request Blocking and click OK
7. Add String ".*autodiscover\.json.*Powershell.**" (excluding quotes)
8. Select Regular Expression under Using.
9. Select Abort Request under How to block and then click OK.
10. Expand the rule and select the rule with the Pattern ".*autodiscover\.json.*Powershell.*" and click Edit under Conditions
11. Change the condition input from {URL} to {REQUEST_URI}

Microsoft also mentions they recommend disabling remote PowerShell access for non-admins which can be found here: https://learn.microsoft.com/en-us/powershell/exchange/control-remote-powershell-access-to-exchange-servers?view=exchange-ps&viewFallbackFrom=exchange-ps%22%20%5Cl%20%22use-the-exchange-management-shell-to-enable-or-disable-remote-powershell-access-for-a-user

Updates by: Brendan Byrd

Posted Oct 05, 2022 - 08:15 CDT

Monitoring

Microsoft recently announced two zero-day vulnerabilities that impact on-premise Exchange 2013, 2016, and 2019 after several reports of "limited targeted attacks" in the wild.

Source: Microsoft

"The first vulnerability, identified as CVE-2022-41040, is a Server-Side Request Forgery (SSRF) vulnerability, while the second, identified as CVE-2022-41082, allows remote code execution (RCE) when PowerShell is accessible to the attacker." Microsoft documented in their Security Response Center write-up. They further clarified "It should be noted that authenticated access to the vulnerable Exchange Server is necessary to successfully exploit either of the two vulnerabilities. "

They are working towards a fix, but have identified mitigations against the attack. Those on Exchange Online do not need to take any action as the detections and mitigations are already in place.

The necessary steps for mitigation with no known impact are below:
1. Open the IIS Manager
2. Expand the Default Web Site
3. Select Autodiscover
4. In the Feature View, click URL Rewrite
5. In the Actions pane on the right-hand side, click Add Rules
6. Select Request Blocking and click OK
7. Add String ".*autodiscover\.json.*\@.*Powershell.*" (excluding quotes) and click OK
8. Expand the rule and select the rule with the Pattern ".*autodiscover\.json.*\@.*Powershell.*" and click Edit under Conditions
9. Change the condition input from {URL} to {REQUEST_URI}

To mitigate against attackers able to authenticate and access PowerShell Remoting you can block the following ports:
- HTTP: 5985
- HTTPS: 5986

Microsoft security services such as Microsoft Sentinel and Microsoft Defender for Endpoint contain several alerts that should trigger on the post-exploitation behavior of this vulnerability. The Threat Response team at Ascend Technologies will be vigilantly investigating all alerts that may reflect a compromise from this vulnerability for clients that have the service.

Ascend Technologies is diligently observing this issue and will provide updates once received from Microsoft.

Authors: Brendan Byrd & Evan Obal

Source: https://msrc-blog.microsoft.com/2022/09/29/customer-guidance-for-reported-zero-day-vulnerabilities-in-microsoft-exchange-server/

Posted Sep 30, 2022 - 14:09 CDT