Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 =========================================================================== AUSCERT Security Bulletin ASB-2022.0191.3 Microsoft Exchange Server RCE vulnerability 7 October 2022 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: Microsoft Exchange Server Operating System: Windows Resolution: Mitigation CVE Names: CVE-2022-41082 CVE-2022-41040 Comment: CVSS (Max): 8.8 CVE-2022-41082 (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:U/RC:C) CVSS Source: Microsoft Calculator: https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:U/RC:C Revision History: October 7 2022: Microsoft has made significant updates to its advisory October 3 2022: Official advisories with mitigation and detection details released by Microsoft September 30 2022: Initial Release OVERVIEW News is currently emerging regarding possible Microsoft Exchange Server Zero-Day Vulnerabilities. Initial details were published by Vietnamese security firm GTSC on September 29, 2022 [1]. Various other news sites and twitter pages have added to the commentary including several reputable sources such as Rapid7 [2] and TrendMicro [3]. UPDATE 03/10/22: Microsoft has now confirmed these claims, and released detailed information regarding the vulnerabilities including mitigation details, detection and threat-hunting advice [7][8]. UPDATE 07/10/22: Microsoft has provided further modifications and updates to its previous advice [7]. For other relevant articles include, please refer to references [4][5][6]. IMPACT Various sources have claimed the vulnerabilities if exploited could lead to remote code execution [1][3]. Initial CVSS scores were reported as ZDI-CAN-18333 (CVSS 8.8) and ZDI-CAN-18802 (CVSS 6.3) [3] UPDATE 03/10/22: Microsoft has now published CVE details with CVSS scores [9][10]. MITIGATION It is always recommended to apply the vendor's patches as soon as possible after they are released, subject to appropriate testing and protocols within your environment. Unfortunately there are currently no patches available from Microsoft. There have been suggestions that many Exchange Servers have not yet been fully patched for the earlier ProxyShell vulnerabilities [6], so it may be wise to review and remediate any outstanding issues also. GTSC has released various detection IOCs and containment measures [1] as have TrendMicro [3]. Other vendors have likely released similar details, so it is recommended to check with the relevant companies and download the latest signatures. UPDATE 03/10/22: Microsoft has now released advisories with mitigation measures and detection advice [7][8]. AusCERT has compiled the IOCs from the GTSC report into a MISP event (details below) which members that have subscribed to this service can download and incorporate into relevant security appliances or workflows. * AusISAC MISP - event 14182 * AHECS ISAC - event 16067 Keeping informed of the progression of this issue and of any further mitigation advice or patch availability from AV vendors and Microsoft is strongly encouraged. UPDATE 03/10/22: Please refer to the latest advice from Microsoft, updated most recently on October 2 [7]. UPDATE 07/10/22: Microsoft has further updated its advisory on October 4, 5 and 6 [7]. REFERENCES [1] Warning: New attack campaign utilized a new 0-day RCE vulnerability on Microsoft Exchange Server https://gteltsc.vn/blog/warning-new-attack-campaign-utilized-a-new-0day-rce-vulnerability-on-microsoft-exchange-server-12715.html [2] Suspected Post-Authentication Zero-Day Vulnerabilities in Microsoft Exchange Server https://www.rapid7.com/blog/post/2022/09/29/suspected-post-authentication-zero-day-vulnerabilities-in-microsoft-exchange-server/ [3] SECURITY ALERT: Attack Campaign Utilizing Microsoft Exchange 0-Day https://success.trendmicro.com/dcx/s/solution/000291651?language=en_US [4] Stop us if you've heard this one before: Exchange Server zero-day being actively exploited https://www.theregister.com/2022/09/30/exchange_server_zero_day/ [5] Researcher warns of new zero-day in Microsoft Exchange under exploit https://itwire.com/business-it-news/security/researcher-warns-of-new-zero-day-in-microsoft-exchange-under-exploit.html [6] ZDI-CAN-18333 aka ProxyNotShell? the story of the claimed zero day in Microsoft Exchange https://doublepulsar.com/proxynotshell-the-story-of-the-claimed-zero-day-in-microsoft-exchange-5c63d963a9e9 [7] Customer Guidance for Reported Zero-day Vulnerabilities in Microsoft Exchange Server https://msrc-blog.microsoft.com/2022/09/29/customer-guidance-for-reported-zero-day-vulnerabilities-in-microsoft-exchange-server/ [8] Analyzing attacks using the Exchange vulnerabilities CVE-2022-41040 and CVE-2022-41082 https://www.microsoft.com/security/blog/2022/09/30/analyzing-attacks-using-the-exchange-vulnerabilities-cve-2022-41040-and-cve-2022-41082/ [9] Microsoft Exchange Server Elevation of Privilege Vulnerability https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-41040 [10] Microsoft Exchange Server Remote Code Execution Vulnerability https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-41082 AusCERT has made every effort to ensure that the information contained in this document is accurate. However, the decision to use the information described is the responsibility of each user or organisation. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: https://auscert.org.au/gpg-key/ iQIVAwUBYz+u1skNZI30y1K9AQgEzQ/9EA3Xs2IUDWGYixBXAjOFzWk3W86q/uRA lGRbj2zmRBXINyCV06E1X6dYklmw3uaPJulbwqIK8Mljk9UT4dEX+f2/Z/q3ylK3 WOdps+LGgiHaaU32QrOifO7KjhgvSacnK0gLmjQzG3bx4nIwBWRTUR+pIOXXFcrH UIC765JBde2AodAey5sFsg6kk0pmclHlR4n8qKNqv1oGhUyp3q22sb7/IQlj0yNw ep2nOGWv2Cgu1sKgm2PEW/S3bfu3CK6ZuUSaCck+fPX9IQTqmtzywYXcDXfF+m5i zgadrEY6nCW7bqnq7EVE5iodA0sMXwKrfpC+o5BnstVJfg9L0GxTHJLCkNKXd2Br JALDUvdgYoXbWRVvfIAYM4yko8/W+5wQIINioQ8haDUdGJFPbF3oUOLsylM4JVg4 RA+kbEMdItLyDxlebkamzbLAFSTT0FfiyVTTmfSRDCqpiOf3RVdsoFjgzCs4Gj9A Fel7BSolzOwDzbyODP9scH4q+SF3G5iCOCHd61hBx/VRnw081KXdyy14ZUK8/uXd JRPekIYe+oC90Y0lKN3ZEaqnaWg1oTlM7KDn+ed5t9X2pBfnDRr2LNmzb8rdWvTx A+ZVeLr3lxCRfTJlsEOewp4y5NND+whxrm/KAMIlDdzhCRYBoJ6peKhWoGYaCnLL ush7yfQYy3w= =1OeX -----END PGP SIGNATURE-----