New Microsoft Exchange Zero-Days CVE-2022-41040 & CVE-2022-41082
New Microsoft Exchange Zero-Days CVE-2022-41040 & CVE-2022-41082
New Microsoft Exchange zero-day vulnerabilities have been reported affecting Exchange Server versions 2013, 2016, and 2019. As confirmed by Microsoft "The first vulnerability, identified as CVE-2022-41040, is a Server-Side Request Forgery (SSRF) vulnerability, while the second, identified as CVE-2022-41082, allows remote code execution (RCE) when PowerShell is accessible to the attacker." The two vulnerabilities require the attacker to be authenticated with the typical attack route involving the exploit of CVE-2022-41040 to then trigger remote code via CVE-2022-41082. The discovery of the vulnerability was made by Vietnamese cybersecurity firm, GTSC who reported the vulnerabilities to Microsoft.
Researchers from GTSC observed the exploit of the vulnerabilities in early August 2022, against a critical infrastructure organization. The GTSC blue team was able to detect the attack from an existing ProxyShell alert triggering on the following string "autodiscover/autodiscover.json?@evil[.]com/<Exchange-backend-endpoint>&Email=autodiscover/autodiscover.json%3f@evil[.]com" Although the string was related to Proxyshell, the servers monitored by GTSC had been updated against the Proxyshell vulnerability. Therefore despite remediating against the ProxyShell vulnerability, the GTSC Red team discovered exploitation was able "to use the above path to access a component in the Exchange backend and perform RCE."
In the post-exploitation stage, the attackers created persistence, performed lateral movement and used various web shells including China Chopper. Various files were downloaded onto the victim host using certutil and were executed with WMIC. Several downloaded DLL files were injected into memory. The attacker(s) had used executables for credential access and collection however, GTSC was unable to recover the files for analysis.
A fix is not yet available by Microsoft however detection and mitigation options are provided in Microsoft's security advisory. Recommended detection strategies include alerting on the string “.*autodiscover\.json.*\@.*Powershell.*” and detecting for web shells.