A few days ago, two new Microsoft Exchange Server vulnerabilities became known and are being actively exploited in a series of targeted attacks. Microsoft cannot yet offer a patch for the vulnerabilities - only a customer guide.
The first vulnerability, CVE-2022-41040, is a Server-Side Request Forgery (SSRF) vulnerability that essentially opens the door for attackers to gain access to the Exchange Server. The second vulnerability, CVE_2022-41082, allows remote code execution (RCE) via PowerShell once on the server. The Vietnamese company GTSC has also published various information about the vulnerabilities.
Sophos experts have investigated the vulnerabilities
This chain of attacks is similar to last year's ProxyShell attacks, and as with last year's attacks, the security industry is prepared for exploitation of these vulnerabilities now that they are public knowledge. To learn more about these vulnerabilities, there is a Sophos X-Ops blog post with technical explanations. In addition, Chester Wisniewski, Principal Research Scientist at Sophos, shares tips on how to protect systems until Microsoft has prepared the patch for these vulnerabilities (currently there is a customer guide).
Chester Wisniewski, Principal Research Scientist at Sophos: “After Microsoft confirmed two new zero-day vulnerabilities in Microsoft Exchange on Friday, security researchers have been investigating the potential impact and what to do to protect against exploitation. As of this writing, only an extremely small number of victims are known to be impacted by this vulnerability."
Still no patches available
“This buys us all some time to implement fixes and prepare for patches as soon as Microsoft makes them available. For Exchange customers who are current with the September 2022 patches and updates, Microsoft has implemented a URL rewrite rule as a mitigation against the known attack to prevent it from working. Unfortunately, bypassing this nerf has proven to be trivial, so we're all still awaiting an official patch. IT teams should prepare to apply the patch as soon as possible after release.”
More at Sophos.com
About Sophos More than 100 million users in 150 countries trust Sophos. We offer the best protection against complex IT threats and data loss. Our comprehensive security solutions are easy to deploy, use and manage. They offer the lowest total cost of ownership in the industry. Sophos offers award-winning encryption solutions, security solutions for endpoints, networks, mobile devices, email and the web. In addition, there is support from SophosLabs, our worldwide network of our own analysis centers. The Sophos headquarters are in Boston, USA and Oxford, UK.