Microsoft confirmed on September 30 that it is investigating two zero-day vulnerabilities affecting Exchange Server 2013, 2016 and 2019. Between them, there are more than 200,000 installations in enterprises worldwide. Microsoft goes on to warn that it has been confirmed that a single, possibly state-sponsored, threat group is exploiting both vulnerabilities by linking them together. Microsoft adds that CVE-2022-41040 and CVE-2022-41082 chain attacks facilitated “manual keyboard access, which attackers used to perform Active Directory discovery and data extraction.” While Microsoft says it has observed these attacks against ten organizations so far, given the user base of Exchange Server and the fact that the vulnerabilities are now known, the potential for further attacks is high.
The risk is significant
As such, Mike Walters, the vice president of vulnerability and threat research at Action1, warned that “the risk from these zero days is significant” for many SMEs and businesses with “vast amounts of critical data”. Security researchers at GTSC initially revealed that the attacks were ongoing.
CVE-2022-41040 is a server-side request forgery (SSRF) vulnerability, while CVE-2022-41082 allows remote code execution (RCE) via PowerShell. The former is used to trigger the latter in an exploit chain if the attacker is authenticated at the user level on the Exchange Server.
CISA advises Exchange Server users and administrators to act now
Indeed, the Cyber Security and Infrastructure Security Agency (CISA) issued a statement urging both users and administrators to implement mitigation measures pending an official patch from Microsoft. Microsoft is working on releasing it as soon as possible, although no timeline has been given yet. Microsoft further confirmed that this affects on-premises Exchange Server installations and that Exchange Online users are not affected by the vulnerabilities.
Microsoft released a script for on-premises users that will mitigate the exploited SSRF vector and released an automatic URL rewrite mitigation for users of the Exchange Server Disaster Mitigation Service.