| Category:
Vulnerability Intelligence |
Vulnerability Class:
Post-Auth SSRF, RCE |
CVE ID:
CVE-2022-41040
CVE-2022-41082 |
CVSS:3.0 Score:
8.8
6.3 |
Executive Summary
| THREAT |
IMPACT |
MITIGATION |
- Two post-auth 0-day vulnerabilities discovered in the latest version of the MS Exchange servers.
- The vulnerabilities are tagged CVE-2022-41040 (SSRF) and CVE-2022-41082 (RCE).
- CVE-2022-41040 enables an authenticated attacker to trigger CVE-2022-41082.
|
- The vulnerability can allow threat actors to gain initial access to an organization’s systems/network and conduct further exploitation.
|
- Follow the latest guidance from Microsoft until a security patch is released.
Microsoft Guidance
|
Technical Analysis
- Security company GTSC identified exploitation attempts in Microsoft IIS Server logs for a client.
- Internet Information Services (IIS) is an adaptable and secure web server for hosting anything on the Internet.
- The exploit requests were very similar to the requests previously used to exploit the ProxyShell vulnerability.
- Investigation by the GTSC team confirmed the presence of two post-auth 0-day vulnerabilities in the latest version of Microsoft Exchange servers.
- The vulnerabilities have been submitted to the Zero Day Initiative (ZDI) and assigned the following IDs:
- ZDI-CAN-18333
- ZDI-CAN-18802
About the Vulnerabilities
- Microsoft assigned CVE-2022-41040 to the SSRF vulnerability and CVE-2022-41082 to the RCE vulnerability.
- It is required for the attacker to have authenticated access to the vulnerable Exchange server to be able to exploit the vulnerabilities.
- Exploitation of CVE-202-41040 is used to trigger the RCE vulnerability CVE-2022-41082.
- As per Microsoft, CVE-2022-41082 allows remote code execution when PowerShell is accessible to the attacker. It is however important to note that there are other methods to exploit the Exchange servers for RCE without Powershell.
- Since the exploitation requires the attacker to be authenticated, techniques like credential stuffing attacks could be used to get authentication.
- Bruteforcing email/domain usernames with commonly used passwords are observed as a common technique among attackers to gain access to Exchange servers.
Information from OSINT
- As per Shodan, currently there are more than two hundred thousand active MS Exchange servers.
[caption id="attachment_20822" align="alignnone" width="1081"]
Screenshot of the Shodan search results for active MS Exchange servers[/caption]
Possible Impact
- By exploiting this vulnerability, threat actors can gain remote control of MS Exchange servers.
- The above access can be exploited for the following:
- Executing commands
- Privilege escalation
- Downloading malicious files
- It would equip malicious actors with details required to launch sophisticated ransomware attacks, install botnets and maintain persistence.
Mitigation Measures
Note: These Mitigations have been sourced from the guidance released by Microsoft
On-premises Microsoft Exchange customers should review and apply the following “URL Rewrite” instructions and block any exposed Remote PowerShell ports.
-
- Open the IIS Manager
- Expand the Default Web Site
- Select Autodiscover
- In the Feature View, click URL Rewrite
- Click on the Add Rules option available in the Actions pane.
- Select Request Blocking and click OK
- Add string “.*autodiscover\.json.*\@.*Powershell.*” (excluding quotes) and click OK
- Expand and select the rule with the pattern “.*autodiscover\.json.*\@.*Powershell.*”
- Click Edit under Conditions
- Change the condition input from {URL} to {REQUEST_URI}
- Refer to the Appendix section for the screenshots describing the above steps.
- There is no known impact to Exchange functionality if the URL Rewrite module is installed as recommended.
- Authenticated attackers who can access PowerShell Remoting on vulnerable Exchange systems will also be able to trigger RCE using CVE-2022-41082. Blocking the following ports used for Remote PowerShell can limit these attacks.
Indicators of Compromise
Note: These IOCs are from the attack detected by the GTSC team.
| SHA256 Hashes |
| c838e77afe750d713e67ffeb4ec1b82ee9066cbe21f11181fd34429f70831ec1 |
| 65a002fe655dc1751add167cf00adf284c080ab2e97cd386881518d3a31d27f5 |
| b5038f1912e7253c7747d2f0fa5310ee8319288f818392298fd92009926268ca |
| c838e77afe750d713e67ffeb4ec1b82ee9066cbe21f11181fd34429f70831ec1 |
| be07bd9310d7a487ca2f49bcdaafb9513c0c8f99921fdf79a05eaba25b52d257 |
| 074eb0e75bb2d8f59f1fd571a8c5b76f9c899834893da6f7591b68531f2b5d82 |
| 45c8233236a69a081ee390d4faa253177180b2bd45d8ed08369e07429ffbe0a9 |
| 9ceca98c2b24ee30d64184d9d2470f6f2509ed914dafb87604123057a14c57c0 |
| 29b75f0db3006440651c6342dc3c0672210cfb339141c75e12f6c84d990931c3 |
| c8c907a67955bcdf07dd11d35f2a23498fb5ffe5c6b5d7f36870cf07da47bff2 |
| 76a2f2644cb372f540e179ca2baa110b71de3370bb560aca65dcddbd7da3701e |
| URL |
| hxxp://206[.]188[.]196[.]77:8080/themes[.]aspx |
| IP Address |
| 125[.]212[.]220[.]48 |
104[.]244[.]79[.]6 |
86[.]48[.]12[.]64 |
94[.]140[.]8[.]48 |
| 5[.]180[.]61[.]17 |
112[.]118[.]48[.]186 |
212[.]119[.]34[.]11 |
94[.]140[.]8[.]113 |
| 47[.]242[.]39[.]92 |
122[.]155[.]174[.]188 |
103[.]9[.]76[.]211 |
103[.]9[.]76[.]208 |
| 61[.]244[.]94[.]85 |
125[.]212[.]241[.]134 |
185[.]220[.]101[.]182 |
194[.]150[.]167[.]88 |
| 86[.]48[.]6[.]69 |
|
|
|
References
Appendix
[caption id="attachment_20823" align="alignnone" width="637"]
Vulnerabilities listed on ZDI website[/caption]
[caption id="attachment_20824" align="alignnone" width="1024"]
Screenshot of the Microsoft IIS Server logs containing the URL Rewrite option[/caption]
[caption id="attachment_20825" align="alignnone" width="1024"]
Screenshot of the Add Rules option present in the Actions pane of the URL Rewrite[/caption]
[caption id="attachment_20826" align="alignnone" width="1024"]
Screenshot of the Request Blocking option present in the Add Rules dialogue box[/caption]
[caption id="attachment_20827" align="alignnone" width="1024"]
Screenshot of adding the string in the Pattern (URL Path) data field[/caption]
[caption id="attachment_20828" align="alignnone" width="1024"]
Screenshot of the Pattern selection[/caption]
[caption id="attachment_20829" align="alignnone" width="1024"]
Screenshot of the Condition input being changed to {REQUEST_URL}[/caption]
