Customer Guidance for Reported Zero-day Vulnerabilities in Microsoft Exchange Server

November 8, 2022 update – Microsoft released security updates for CVE-2022-41040 and CVE-2022-41082. We recommend that customers protect their organizations by applying the updates immediately to affected systems. The options described in the Mitigations section are no longer recommended. For more information, review the Exchange Team blog.

Summary

On November 8 Microsoft released security updates for two zero-day vulnerabilities affecting Microsoft Exchange Server 2013, Exchange Server 2016, and Exchange Server 2019. The first one, identified as CVE-2022-41040, is a Server-Side Request Forgery (SSRF) vulnerability, and the second one, identified as CVE-2022-41082, allows Remote Code Execution (RCE) when PowerShell is accessible to the attacker.  

Currently, Microsoft is aware of limited targeted attacks using these two vulnerabilities. In these attacks, CVE-2022-41040 can enable an authenticated attacker to remotely trigger CVE-2022-41082. It should be noted that authenticated access to the vulnerable Exchange Server is necessary to successfully exploit either vulnerability.

Microsoft Security Threat Intelligence teams have provided further analysis of observed activity along with detection and hunting guidance in a Microsoft Security blog.

Mitigations

Exchange Online customers do not need to take any action.

We strongly recommend applying the Exchange Server updates for CVE-2022-41040 and CVE-2022-41082. The mitigations below are no longer recommended.

Previously, we recommended Exchange Server customers should complete both the URL Rewrite rule mitigation for CVE-2022-41040 and the Disable remote PowerShell for non-admins mitigation for CVE-2022-41082 described below.

URL Rewrite rule

The previous Exchange Server mitigation was to add a blocking rule in “IIS Manager -> Default Web Site -> URL Rewrite -> Actions” to block the known attack patterns.

Option 1: For customers who have the Exchange Emergency Mitigation Service (EEMS) enabled, Microsoft released the URL Rewrite mitigation for Exchange Server 2016 and Exchange Server 2019. The mitigation is enabled automatically and is updated to include the URL Rewrite rule improvements. Please see this blog post for more information on this service and how to check active mitigations.

Option 2: Microsoft created the EOMTv2 script for the URL Rewrite mitigation steps and updated it to include the URL Rewrite rule improvements. EOMTv2 script will auto-update on Internet connected machines and the updated version will show as 22.10.07.2029. The script should be re-run on any Exchange Server without EEMS enabled. https://aka.ms/EOMTv2 

Option 3: Customers can follow the instructions below, which include the step 6 string update. A previously created rule for this mitigation can be deleted after the steps below are followed.

1. Open IIS Manager. 
2. Select Default Web Site.
3. In the Feature View, click URL Rewrite.

4. In the Actions pane on the right-hand side, click Add Rule(s)…  

5. Select Request Blocking and click OK. 

6. Add the string “(?=.*autodiscover)(?=.*powershell)” (excluding quotes).
7. Select Regular Expression under Using.
8. Select Abort Request under How to block and then click OK.

9. Expand the rule and select the rule with the pattern: (?=.*autodiscover)(?=.*powershell) and click Edit under Conditions

10. Change the Condition input from {URL} to {UrlDecode:{REQUEST_URI}} and then click OK. 

NOTE: If you need to change any rule it is best to delete and recreate it.

Impact: There is no known effect on Exchange functionality if URL Rewrite is installed as recommended. 

Disable remote PowerShell access for non-admins

Previously, we strongly recommended Exchange Server customers disable remote PowerShell access for non-admin users in your organization to mitigate one of the vulnerabilities. While this is not necessary with the application of released updates, you may choose to do this to disable protocols that might not be in use. Guidance on how to do this for single user or multiple users is available here.  

Detection and advanced hunting

For detection and advanced hunting guidance, customers should reference Analyzing attacks using the Exchange vulnerabilities CVE-2022-41040 and CVE-2022-41082.