Hackers can easily bypass mitigation for Microsoft Exchange security vulnerabilities
Late last week, Microsoft confirmed the existence of two actively exploited zero-day vulnerabilities in Exchange Server. Tracked as CVE-2022-41082 and CVE-2022-41040, both security flaws are worrying as they are known to be actively exploited.
While it works on a fix, Microsoft offered up instructions to mitigate the vulnerabilities. But it turns out that it is incredibly easy to bypass, with security experts warning that the method used is too specific, rendering it ineffective.
- Spotify is forcibly installing on Windows 10 and Windows 11 systems
- Microsoft releases KB5017389 update for Windows 11 2022 Update to fix dozens of problems
- Microsoft confirms two actively exploited zero-day vulnerabilities in Exchange Server
As reported by Bleeping Computer, at least two security researchers have criticized Microsoft's approach to blocking potential attacks. One describes the rules suggested by the company as being "unnecessarily precise", while another points out that "the URL pattern to detect/prevent the Exchange 0day provided in MSRC's blog post can easily be bypassed".
Security research @testanull jumped on the ease of bypassing Microsoft's mitigation very quickly, tweeting:
Another security researcher, Will Dormann, shared his analysis of the mitigations too:
The video he linked to demonstrates how easy it is to bypass the rule:
To boost security, note the suggestion to use the URL block
.*autodiscover\.json.*Powershell.* instead of Microsoft's proposal.