Microsoft confirms two actively exploited zero-day vulnerabilities in Exchange Server
Microsoft has issued a security notice about two zero-day vulnerabilities with its own Microsoft Exchange Server. Versions 2013, 2016 and 2019 of the software are affected.
One vulnerability (CVE-2022-41082) allows for remote code execution when an attacker has access to PowerShell; the second (CVE-2022-41040) is a Side Request Forgery (SSRF) vulnerability. Both vulnerabilities are being exploited in the wild.
See also:
- Microsoft acknowledges printer issues blocking Window 11 2022 Update
- Microsoft is blocking Windows 11 2022 Update because of blue screen issues
- Microsoft releases out-of-band KB5019311 update for Windows 11
Warning that it is "aware of limited targeted attacks using the two vulnerabilities to get into users' systems", Microsoft points out that in order to exploit the vulnerabilities an attacker would have to be authenticated on the target system. The company stresses that Microsoft Exchange Online customers have nothing to worry about.
For users of Microsoft Exchange Server 2013, 2016 and 2019, the advice is to apply the following URL Rewrite Instructions and block exposed Remote PowerShell ports. Microsoft says:
The current mitigation is to add a blocking rule in "IIS Manager -> Default Web Site -> Autodiscover -> URL Rewrite -> Actions" to block the known attack patterns.
Microsoft has confirmed that the following URL Rewrite Instructions, which are currently being discussed publicly, are successful in breaking current attack chains.
In a post in the Microsoft Security Response Center, the following instructions are then provided:
- Open the IIS Manager
- Expand the Default Web Site
- Select Autodiscover
- In the Feature View, click URL Rewrite
- In the Actions pane on the right-hand side, click Add Rules
- Select Request Blocking and click OK
- Add String ".*autodiscover\.json.*\@.*Powershell.*" (excluding quotes) and click OK
- Expand the rule and select the rule with the Pattern ".*autodiscover\.json.*\@.*Powershell.*" and click Edit under Conditions
- Change the condition input from {URL} to {REQUEST_URI}
Microsoft also advises blocking the ports HTTP: 5985 and HTTPS: 5986 for Remote PowerShell.
The company says that it is "working on an accelerated timeline to release a fix" but recommends implementing the mitigations in the meantime.
Image credit: liorpt / depositphotos