{"id":17567,"date":"2022-11-24T16:14:14","date_gmt":"2022-11-24T10:44:14","guid":{"rendered":"https:\/\/www.stellarinfo.co.in\/blog\/?p=17567"},"modified":"2022-12-09T11:47:00","modified_gmt":"2022-12-09T06:17:00","slug":"exchange-server-zero-day-vulnerability","status":"publish","type":"post","link":"https:\/\/www.stellarinfo.co.in\/blog\/exchange-server-zero-day-vulnerability\/","title":{"rendered":"How To Recover Data After Exchange Server Zero Day Vulnerability?"},"content":{"rendered":"\n\n\n
Confirmation has recently come in about a new <\/span>Microsoft Exchange Server vulnerability, 2022<\/b>, and that these two vulnerabilities affect the following MS Exchange servers: 2013, 2016, and 2019.\u00a0<\/span><\/p>\n

In their official report on the matter,<\/a><\/strong> Microsoft has identified the two vulnerabilities as <\/span>CVE 2022 41040<\/b> and <\/span>CVE 2022 41082<\/b>.<\/span><\/p>\n

CVE 2022 41040<\/b> is an SSRF \u2014 a server-side request forgery and the second<\/span><\/p>\n

CVE 2022 41082 <\/b>is an <\/span>RCE vulnerability<\/b> \u2014 RCE is short for remote code execution.<\/span><\/th>\n<\/tr>\n<\/tbody>\n<\/table>\n

Table of Content:<\/strong><\/p>\n

    \n
  1. What Are The Vulnerabilities?<\/strong><\/a><\/li>\n
  2. How Can The Risk Of Vulnerability Be Mitigated?<\/strong><\/a><\/li>\n
  3. How To Recover Your Server After An Attack?<\/strong><\/a><\/li>\n
  4. Wrapping Up<\/strong><\/a><\/li>\n<\/ol>\n

    What Are The Vulnerabilities?<\/strong><\/h2>\n

    SSRFs make server-side applications send requests to an unauthorized\/ unintended location, and can result in access controls for \/admin being bypassed when the request is returned to the user.<\/span><\/p>\n

    The RCE <\/span>CVE 2022 41082<\/b> Microsoft Exchange Server remote code execution vulnerability, (2022) <\/b>allows for malicious code to be executed within server-side applications from the powershell of authorized users that possess admin privileges.<\/span><\/p>\n

    Microsoft is \u201cworking on an accelerated timeline to release a fix. Until then, we\u2019re providing mitigation advice in order to help customers shield themselves from these attacks\u201d, according to their statements.<\/span><\/p>\n

    This blog post by the Microsoft defense team<\/a><\/strong> contains a detailed analysis of how and where the vulnerabilities are exploited and how they work.<\/span><\/p>\n

    The <\/span>CVE 2022 41040<\/b> vulnerability can only be deployed and exploited by users that are authorized, and they can then use <\/span>CVE 2022 41040<\/b> to trigger the RCE (<\/span>CVE 2022 41082<\/b>) vulnerability, which they then use to launch their PowerShell code.<\/span><\/p>\n

    According to the Vietnamese outfit, GTSC ,that first discovered the vulnerabilities, the ongoing attacks that are exploiting these vulnerabilities may originate from a chinese-backed hacker group, because the powershell code that was deployed to exploit the <\/span>Microsoft Exchange vulnerability, 2022<\/b> used a microsoft character encoding for simplified Chinese.<\/span><\/p>\n

    The vulnerabilities were reported on the zero day exchange website, <\/span>which can be accessed here<\/a><\/strong>.<\/span><\/p>\n

    How Can The Risk Of Vulnerability Be Mitigated?<\/strong><\/h3>\n

    Firstly, and this goes without saying, admins need to <\/span>block all exposed and unnecessary Powershell ports that have remote access authorized<\/span>.<\/span><\/p>\n

    Secondly, there has also been released a series of guidelines concerning <\/span>Exchange zero-day mitigation<\/b> by way of URL rewrite instructions, which should be deployed as soon as possible, and followed to a T.<\/span><\/p>\n

    The advised mitigation to reduce exchange server vulnerability, for now is to add blocking scenarios (blocking rules) to the IIS (Internet Information Services) manager in the following path:<\/span><\/p>\n

    \u201cInternet Information Services Manager >> Default Site >> Autodiscover >> URL Rewrite >> Actions\u201d and then block the attack patterns that are known.<\/i><\/b><\/p>\n\n\n\n\n\t\n\n\t\n\t
    S. No.<\/th>Vulnerability<\/th>Patch<\/th>Affected Servers<\/th>\n<\/tr>\n<\/thead>\n
    1<\/td>CVE 2022 41040<\/td>Available, Use EOMT<\/td>2013 - 2019<\/td>\n<\/tr>\n
    2<\/td>CVE 2022 41082<\/td>Unavailable, Block Ports<\/td>2013 - 2019 including R2<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n\n

    \"Exchange<\/p>\n

    That was the general form, but to apply the mitigation protocol to servers to stop the <\/span>Microsoft Exchange Server vulnerability (2022), <\/b>the following steps need to be followed:<\/span><\/p>\n

      \n
    1. Launch The Internet Information Services Manager.<\/span><\/li>\n
    2. Click on and expand the \u201cDefault Website\u201d.<\/span><\/li>\n
    3. Select \u201cAutodiscover\u201d.<\/span><\/li>\n
    4. Navigate to the \u201cFeature\u201d view panel.<\/span><\/li>\n
    5. Click on \u201cRewrite\u201d.<\/span><\/li>\n
    6. On the right side, you will see a panel labeled \u201cactions\u201d. Here, click on \u201cadd rules\u201d.<\/span><\/li>\n
    7. Select \u201cRequest Blocking\u201d<\/span><\/li>\n
    8. Add a string: \u201c.*autodiscover\\.json.*\\@.*Powershell.\u201d, barring the quotes.<\/span><\/li>\n
    9. Expand this new rule you just created, and select \u201cEdit Under Conditions\u201d.<\/span><\/li>\n
    10. Change the input conditional operator to REQUEST_URL from URL.<\/span><\/li>\n<\/ol>\n

      Under the <\/span>Microsoft Exchange vulnerability (2022)<\/b>, infiltrators can also make use of the mentioned RCE (<\/span>CVE 2022 41082<\/b>), which is why Microsoft Defence Services also recommends blocking the following ports to make infiltration and exploitation harder:<\/span><\/p>\n