GTSC security researchers have discovered two new RCE vulnerabilities in MS Exchange Server. There are already suitable exploits for this in the wild. Microsoft was notified of the vulnerabilities and commented “Currently Microsoft is aware of limited targeted attacks”.
Around early August 2022, while conducting security monitoring and incident response services, the GTSC SOC team discovered that a critical infrastructure was under attack, specifically their Microsoft Exchange application. During the investigation, GTSC Blue Team experts determined that the attack exploited an unpublished Exchange vulnerability (a 0-day vulnerability) and therefore immediately developed a temporary containment plan.
At the same time, Red Team experts began investigating and troubleshooting decompiled Exchange code to find the vulnerability and exploit code. Thanks to the experience of finding the previous exploit for Exchange, the research time was reduced, so that the vulnerability was quickly discovered. The vulnerability turns out to be so critical because it allows the attacker to perform RCE (Remote Code Execution) on the compromised system. GTSC immediately submitted the vulnerability to the Zero Day Initiative (ZDI) to work with Microsoft. This is the only way to prepare a patch as quickly as possible. ZDI has verified and confirmed the two errors whose CVSS values are 8,8 and 6,3. GTSC provides an approximate description of the vulnerabilities on its website.
Microsoft comments on the vulnerabilities
Microsoft has very quickly published a customer guide to the reported zero-day vulnerabilities in Microsoft Exchange Server. “Microsoft is investigating two reported zero-day vulnerabilities affecting Microsoft Exchange Server 2013, 2016 and 2019. The first vulnerability, identified as CVE-2022-41040, is a Server-Side Request Forgery (SSRF) vulnerability, while the second, identified as CVE-2022-41082, allows Remote Code Execution (RCE) when using PowerShell for the attacker is accessible.
Microsoft is currently aware of limited targeted attacks that exploit the two vulnerabilities to penetrate users' systems. In these attacks, CVE-2022-41040 can allow an authenticated attacker to remotely trigger CVE-2022-41082. It should be noted that to successfully exploit either vulnerability, authenticated access to the vulnerable Exchange server is required.
No patches available yet
We are working on an accelerated schedule for a fix release. Until then, we are providing the mitigation and detection guidance below to help customers protect against these attacks.”
More at Gteltsc.vn