Ir para conteúdo

Vulnerability Alert - Microsoft Exchange Server

TYPE
Vulnerabilities
SYSTEMS AFFECTED
Microsoft Exchange Server 2013, 2016, and 2019
ECOSYSTEM
Microsoft
Description

There were identified two zero-day vulnerabilities (CVE-2022-41040 and CVE-2022-41082) affecting Microsoft Exchange Server 2013, 2016, and 2019. 
The vulnerability CVE-2022-41040 is a Server-Side Request Forgery (SSRF) vulnerability, while the second, identified as CVE-2022-41082, allows remote code execution (RCE) when PowerShell is accessible to the attacker. 
The SSRF vulnerability can enable an authenticated attacker to remotely trigger the RCE vulnerability. It should be noted that authenticated access to the vulnerable Exchange Server is necessary to successfully exploit either of the two vulnerabilities.  
These vulnerabilities are being actively exploited.
Microsoft Exchange Online has detections and mitigation in place, therefore these costumers do not need to take any action.

 

Impact

It allows an autenticated attacker to execute Server-Side Request Forgery and achieve remote code execution.

 

Resolution

It was not yet published the security update to solve these vulnerabilities, however Microsoft recommends that the mitigations mentioned in [1] should be applied.
Please refer to [2] and verify the Indicators of Compromise (IOCs).

October 3, 2022 Update:
It is recommended disabling remote PowerShell access for non-admin users.
There was an update on the information related to Detection in [3].

October 5, 2022 Update:
Microsoft updated their blog article in the Mitigations section improving the URL Rewrite rule. [1]
It is recommended to review the set of mitigations, and apply them with the updated version.

References
Last updated on 07-09-2022