Microsoft Exchange Zero-Day Exploit: Experts Say Mitigation isn’t Enough

Microsoft has shared mitigations for two new Microsoft Exchange zero-day elevation of privelege vulnerability, tracked as CVE-2022-41040, and remote execution vulnerability (CVE-2022-41082). However, security researchers warn that the mitigation for on-premise servers is far from enough.

Hackers already exploiting the zero-day exploits

According to claims made by security researchers at Vietnamese cybersecurity outfit GTSC, who first spotted and reported the attacks, the attackers are using the two zero-day exploits to deploy web shells for persistence, data theft, and to allow them to move laterally on compromised networks.

In the report, the researchers noted: “The vulnerability turns out to be so critical that it allows the attacker to do RCE on the compromised system,”

GTSC released little details regarding the two zero-day exploits. Their researchers shared some insights about the requests used in this exploit chain and how it’s similar to the ones used in attacks targeting the ProxyShell vulnerabilities.

According to the report, the exploit works in two stages:

1. Requests with a similar format to the ProxyShell vulnerability: autodiscover/autodiscover.json?@evil.com/<Exchange-backend-endpoint>&Email=autodiscover/autodiscover.json%3f@evil.com.
2. Using the above link to access a backend component where the RCE could be implemented.

Experts say temporary mitigation is inefficient and can be bypassed

Until the vulnerabilities are patched, Microsoft shared the following temporary mitigation measures:

1. Open the IIS Manager.
2. Select Default Web Site.
3. In the Feature View, click URL Rewrite.
4. Click Add Rules in the Actions pane on the right-hand side.
5. Click Request Blocking and then click OK.
6. Add the string “.autodiscover.json.*@.*Powershell.” (excluding quotes) and then click OK.
7. Expand the rule and select the rule with the pattern “autodiscover.json.*@.*Powershell.” and click Edit under Conditions.
8. Change the Condition input from {URL} to {REQUEST_URI}

In a tweet, security researcher Jang showed that Microsoft’s temporary mitigation solution is inefficient and can be bypassed easily. Jang’s findings were later verified by other security researchers and GTSC who confirmed that Microsoft’s proposed measures aren’t enough to prevent exploitation of the two vulnerabilities.

No patch currently available

At the time of publishing this, Microsoft has not announced any patch for CVE-2022-41040 and CVE-2022-41082. Both vulnerabilities have a severity score of 8.8/10.