Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
===========================================================================
AUSCERT Security Bulletin
ASB-2022.0191.3
Microsoft Exchange Server RCE vulnerability
7 October 2022
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: Microsoft Exchange Server
Operating System: Windows
Resolution: Mitigation
CVE Names: CVE-2022-41082 CVE-2022-41040
Comment: CVSS (Max): 8.8 CVE-2022-41082 (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:U/RC:C)
CVSS Source: Microsoft
Calculator: https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:U/RC:C
Revision History: October 7 2022: Microsoft has made significant updates to its advisory
October 3 2022: Official advisories with mitigation and detection details released by Microsoft
September 30 2022: Initial Release
OVERVIEW
News is currently emerging regarding possible Microsoft Exchange Server
Zero-Day Vulnerabilities.
Initial details were published by Vietnamese security firm GTSC on
September 29, 2022 [1].
Various other news sites and twitter pages have added to the commentary including
several reputable sources such as Rapid7 [2] and TrendMicro [3].
UPDATE 03/10/22: Microsoft has now confirmed these claims, and released detailed
information regarding the vulnerabilities including mitigation details, detection
and threat-hunting advice [7][8].
UPDATE 07/10/22: Microsoft has provided further modifications and updates to its
previous advice [7].
For other relevant articles include, please refer to references [4][5][6].
IMPACT
Various sources have claimed the vulnerabilities if exploited could lead
to remote code execution [1][3].
Initial CVSS scores were reported as ZDI-CAN-18333 (CVSS 8.8) and ZDI-CAN-18802 (CVSS 6.3) [3]
UPDATE 03/10/22: Microsoft has now published CVE details with CVSS scores [9][10].
MITIGATION
It is always recommended to apply the vendor's patches as soon as possible after they
are released, subject to appropriate testing and protocols within your environment.
Unfortunately there are currently no patches available from Microsoft.
There have been suggestions that many Exchange Servers have not yet been fully patched
for the earlier ProxyShell vulnerabilities [6], so it may be wise to review and remediate
any outstanding issues also.
GTSC has released various detection IOCs and containment measures [1] as have TrendMicro [3].
Other vendors have likely released similar details, so it is recommended to check with the
relevant companies and download the latest signatures.
UPDATE 03/10/22: Microsoft has now released advisories with mitigation measures and detection advice [7][8].
AusCERT has compiled the IOCs from the GTSC report into a MISP event (details below)
which members that have subscribed to this service can download and incorporate into
relevant security appliances or workflows.
* AusISAC MISP - event 14182
* AHECS ISAC - event 16067
Keeping informed of the progression of this issue and of any further mitigation advice
or patch availability from AV vendors and Microsoft is strongly encouraged.
UPDATE 03/10/22: Please refer to the latest advice from Microsoft, updated most recently on October 2 [7].
UPDATE 07/10/22: Microsoft has further updated its advisory on October 4, 5 and 6 [7].
REFERENCES
[1] Warning: New attack campaign utilized a new 0-day RCE vulnerability
on Microsoft Exchange Server
https://gteltsc.vn/blog/warning-new-attack-campaign-utilized-a-new-0day-rce-vulnerability-on-microsoft-exchange-server-12715.html
[2] Suspected Post-Authentication Zero-Day Vulnerabilities in Microsoft
Exchange Server
https://www.rapid7.com/blog/post/2022/09/29/suspected-post-authentication-zero-day-vulnerabilities-in-microsoft-exchange-server/
[3] SECURITY ALERT: Attack Campaign Utilizing Microsoft Exchange 0-Day
https://success.trendmicro.com/dcx/s/solution/000291651?language=en_US
[4] Stop us if you've heard this one before: Exchange Server zero-day
being actively exploited
https://www.theregister.com/2022/09/30/exchange_server_zero_day/
[5] Researcher warns of new zero-day in Microsoft Exchange under
exploit
https://itwire.com/business-it-news/security/researcher-warns-of-new-zero-day-in-microsoft-exchange-under-exploit.html
[6] ZDI-CAN-18333 aka ProxyNotShell? the story of the claimed zero day
in Microsoft Exchange
https://doublepulsar.com/proxynotshell-the-story-of-the-claimed-zero-day-in-microsoft-exchange-5c63d963a9e9
[7] Customer Guidance for Reported Zero-day Vulnerabilities in
Microsoft Exchange Server
https://msrc-blog.microsoft.com/2022/09/29/customer-guidance-for-reported-zero-day-vulnerabilities-in-microsoft-exchange-server/
[8] Analyzing attacks using the Exchange vulnerabilities CVE-2022-41040
and CVE-2022-41082
https://www.microsoft.com/security/blog/2022/09/30/analyzing-attacks-using-the-exchange-vulnerabilities-cve-2022-41040-and-cve-2022-41082/
[9] Microsoft Exchange Server Elevation of Privilege Vulnerability
https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-41040
[10] Microsoft Exchange Server Remote Code Execution Vulnerability
https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-41082
AusCERT has made every effort to ensure that the information contained
in this document is accurate. However, the decision to use the information
described is the responsibility of each user or organisation. The decision to
follow or act on information or advice contained in this security bulletin is
the responsibility of each user or organisation, and should be considered in
accordance with your organisation's site policies and procedures. AusCERT
takes no responsibility for consequences which may arise from following or
acting on information or advice contained in this security bulletin.
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: https://auscert.org.au/gpg-key/
iQIVAwUBYz+u1skNZI30y1K9AQgEzQ/9EA3Xs2IUDWGYixBXAjOFzWk3W86q/uRA
lGRbj2zmRBXINyCV06E1X6dYklmw3uaPJulbwqIK8Mljk9UT4dEX+f2/Z/q3ylK3
WOdps+LGgiHaaU32QrOifO7KjhgvSacnK0gLmjQzG3bx4nIwBWRTUR+pIOXXFcrH
UIC765JBde2AodAey5sFsg6kk0pmclHlR4n8qKNqv1oGhUyp3q22sb7/IQlj0yNw
ep2nOGWv2Cgu1sKgm2PEW/S3bfu3CK6ZuUSaCck+fPX9IQTqmtzywYXcDXfF+m5i
zgadrEY6nCW7bqnq7EVE5iodA0sMXwKrfpC+o5BnstVJfg9L0GxTHJLCkNKXd2Br
JALDUvdgYoXbWRVvfIAYM4yko8/W+5wQIINioQ8haDUdGJFPbF3oUOLsylM4JVg4
RA+kbEMdItLyDxlebkamzbLAFSTT0FfiyVTTmfSRDCqpiOf3RVdsoFjgzCs4Gj9A
Fel7BSolzOwDzbyODP9scH4q+SF3G5iCOCHd61hBx/VRnw081KXdyy14ZUK8/uXd
JRPekIYe+oC90Y0lKN3ZEaqnaWg1oTlM7KDn+ed5t9X2pBfnDRr2LNmzb8rdWvTx
A+ZVeLr3lxCRfTJlsEOewp4y5NND+whxrm/KAMIlDdzhCRYBoJ6peKhWoGYaCnLL
ush7yfQYy3w=
=1OeX
-----END PGP SIGNATURE-----