Skip to the content.

DIVD-2022-00054 - ProxyNotShell - Microsoft Exchange SSRF and RCE

Our reference DIVD-2022-00054
Case lead Max van der Horst
Researcher(s)
CVE(s)
Product Microsoft Exchange
Versions Exchange Server 2013, 2016 and 2019.
Recommendation As long as there is no patch available, it is recommended to apply one of the mitigations suggested by Microsoft. Please find the Security Advisory at the end of the casefile.
Workaround Either apply a URL Rewrite Rule as suggested by the mitigations in the Security Advisory or disable remote PowerShell access for non-administrators.
Status Open
Last modified 08 Dec 2022 16:28

Summary

On September 30th 2022, GTSC Vietnam published a write-up on a discovered campaign utilizing a zero-day vulnerability in Microsoft Exchange. Shortly after, Microsoft published a security advisory alongside CVE IDs CVE-2022-41040 and CVE-2022-41082 with CVSS scores 8.8 and 6.3, respectively.

This vulnerability allows authenticated attackers to achieve Remote Command Execution when Exchange PowerShell is accessible. An attacker may achieve this through chaining CVE-2022-41040, an SSRF vulnerability, with CVE-2022-41082, which is the RCE vulnerability.

Exchange Online customers are protected against these attacks. Customers running an on-premises installation of Exchange Server 2013, 2016 and 2019 are advised to apply one of the suggested mitigations in the Security Advisory.

So far, Microsoft has observed a limited amount of targeted attacks using these vulnerabilities. Because both vulnerabilities require authentication, mass-exploitation is hard. Regardless, it is advised to mitigate these vulnerabilities as soon as possible as exploitation could lead to the compromise of integrity, availability and confidentiality on systems.

What you can do

Companies running Exchange Server 2013, 2016 or 2019 (on-premises) should mitigate these vulnerabilities as soon as possible using the mitigations suggested in the advisory. Furthermore, on November 8th 2022, Microsoft released a security update for Exchange servers that address this issue.

If you have been running Exchange Server, we recommend to check your server logs for any suspicious activity such as installation of the Chopper Web Shell or any arbitrary PowerShell commands.

The suggested mitigations by Microsoft, aside from installing the security update, include disabling remote access to PowerShell for non-administrator users and using a URL Rewrite Rule. For guidance on implementing these mitigations, view the Security Advisory. Moreover, detection rules for both vulnerabilities have been provided by Microsoft. For these, view Microsoft’s blogpost on this topic.

What we are doing

We are actively scanning the internet for Exchange instances that do not have the mitigations applied and will notify system owners via the listed abuse contacts.

Timeline

Date Description
30 Sep 2022 DIVD takes notice of published write-up on ProxyNotShell.
04 Oct 2022 DIVD starts scanning for vulnerable Exchange instances.
05 Oct 2022 First version of this case file.
05 Oct 2022 First explorative scan.
06 Oct 2022 First scan with fingerprint.
06 Oct 2022 Mitigation bypass found for vulnerabilities, changing approach to scanning.
06 Oct 2022 Decision to reiterate on ProxyShell and ProxyOracle cases.
17 Oct 2022 First version of notification email.
26 Oct 2022 First mail run completed.
08 Nov 2022 Microsoft releases a security update addressing this vulnerability.
09 Nov 2022 Vulnerability exploited in the wild.
gantt title DIVD-2022-00054 - ProxyNotShell - Microsoft Exchange SSRF and RCE dateFormat YYYY-MM-DD axisFormat %e %b %Y section Case DIVD-2022-00054 - ProxyNotShell - Microsoft Exchange SSRF and RCE (still open) :2022-09-30, 2022-12-15 section Events DIVD takes notice of published write-up on ProxyNotShell. : milestone, 2022-09-30, 0d DIVD starts scanning for vulnerable Exchange instances. : milestone, 2022-10-04, 0d First version of this case file. : milestone, 2022-10-05, 0d First explorative scan. : milestone, 2022-10-05, 0d First scan with fingerprint. : milestone, 2022-10-06, 0d Mitigation bypass found for vulnerabilities, changing approach to scanning. : milestone, 2022-10-06, 0d Decision to reiterate on ProxyShell and ProxyOracle cases. : milestone, 2022-10-06, 0d First version of notification email. : milestone, 2022-10-17, 0d First mail run completed. : milestone, 2022-10-26, 0d Microsoft releases a security update addressing this vulnerability. : milestone, 2022-11-08, 0d Vulnerability exploited in the wild. : milestone, 2022-11-09, 0d

More information