DIVD-2022-00054 - ProxyNotShell - Microsoft Exchange SSRF and RCE
| Our reference | DIVD-2022-00054 |
| Case lead | Max van der Horst |
| Researcher(s) |
|
| CVE(s) | |
| Product | Microsoft Exchange |
| Versions | Exchange Server 2013, 2016 and 2019. |
| Recommendation | As long as there is no patch available, it is recommended to apply one of the mitigations suggested by Microsoft. Please find the Security Advisory at the end of the casefile. |
| Workaround | Either apply a URL Rewrite Rule as suggested by the mitigations in the Security Advisory or disable remote PowerShell access for non-administrators. |
| Status | Closed |
| Last modified | 11 Apr 2023 14:23 |
Summary
On September 30th 2022, GTSC Vietnam published a write-up on a discovered campaign utilizing a zero-day vulnerability in Microsoft Exchange. Shortly after, Microsoft published a security advisory alongside CVE IDs CVE-2022-41040 and CVE-2022-41082 with CVSS scores 8.8 and 6.3, respectively.
This vulnerability allows authenticated attackers to achieve Remote Command Execution when Exchange PowerShell is accessible. An attacker may achieve this through chaining CVE-2022-41040, an SSRF vulnerability, with CVE-2022-41082, which is the RCE vulnerability.
Exchange Online customers are protected against these attacks. Customers running an on-premises installation of Exchange Server 2013, 2016 and 2019 are advised to apply one of the suggested mitigations in the Security Advisory.
So far, Microsoft has observed a limited amount of targeted attacks using these vulnerabilities. Because both vulnerabilities require authentication, mass-exploitation is hard. Regardless, it is advised to mitigate these vulnerabilities as soon as possible as exploitation could lead to the compromise of integrity, availability and confidentiality on systems.
What you can do
Companies running Exchange Server 2013, 2016 or 2019 (on-premises) should mitigate these vulnerabilities as soon as possible using the mitigations suggested in the advisory. Furthermore, on November 8th 2022, Microsoft released a security update for Exchange servers that address this issue.
If you have been running Exchange Server, we recommend to check your server logs for any suspicious activity such as installation of the Chopper Web Shell or any arbitrary PowerShell commands.
The suggested mitigations by Microsoft, aside from installing the security update, include disabling remote access to PowerShell for non-administrator users and using a URL Rewrite Rule. For guidance on implementing these mitigations, view the Security Advisory. Moreover, detection rules for both vulnerabilities have been provided by Microsoft. For these, view Microsoft’s blogpost on this topic.
What we are doing
We are actively scanning the internet for Exchange instances that do not have the mitigations applied and will notify system owners via the listed abuse contacts.
Timeline
| Date | Description |
|---|---|
| 30 Sep 2022 | DIVD takes notice of published write-up on ProxyNotShell. |
| 04 Oct 2022 | DIVD starts scanning for vulnerable Exchange instances. |
| 05 Oct 2022 | First version of this case file. |
| 05 Oct 2022 | First explorative scan. |
| 06 Oct 2022 | First scan with fingerprint. |
| 06 Oct 2022 | Mitigation bypass found for vulnerabilities, changing approach to scanning. |
| 06 Oct 2022 | Decision to reiterate on ProxyShell and ProxyOracle cases. |
| 17 Oct 2022 | First version of notification email. |
| 26 Oct 2022 | First mail run completed. |
| 08 Nov 2022 | Microsoft releases a security update addressing this vulnerability. |
| 09 Nov 2022 | Vulnerability exploited in the wild. |
| 07 Feb 2022 | DIVD performs a second scan to find remaining vulnerable parties. |
| 08 Feb 2022 | Second mail run with reminders completed. |
| 10 Apr 2023 | Last control scan has been conducted. |
| 10 Apr 2023 | Case closed. |