Microsoft Exchange Server users should apply mitigations as attacks begin
Getty Images
Microsoft confirmed on September 30 that it is investigating two zero-day vulnerabilities affecting Exchange Server 2013, 2016 and 2019. Between them, there are more than 200,000 installations in companies around the world. Microsoft continues to warn that a single, likely state-sponsored threat group has been confirmed to exploit both vulnerabilities by chaining them together. Microsoft adds that chain attacks CVE-2022-41040 and CVE-2022-41082 facilitated “hands-on access to the keyboard, which attackers used to perform reconnaissance and exfiltration of Active Directory data.” While Microsoft says it has seen such attacks against ten organizations so far, given the user base of Exchange Server and the fact that the vulnerabilities are now known, the potential for more attacks is high.
MORE FORBES New Microsoft Windows zero-day attack confirmed: Update nowBy Davey Winder
The risk is significant
As such, Mike Walters, Action1’s vice president of vulnerability and threat research, has warned that “the risk of these zero days is significant” for many SMEs and enterprises with “a large amount of critical data”. GTSC security researchers initially revealed that there were ongoing attacks.
CVE-2022-41040 is a server-side request forgery (SSRF) vulnerability, while CVE-2022-41082 allows remote code execution (RCE) via PowerShell. The former is used to trigger the latter in a chained exploit if the attacker authenticates at the user level to Exchange Server.
CISA advises Exchange Server users and administrators to act now
In fact, the Cyber Security and Infrastructure Agency (CISA) has issued a statement urging both users and administrators to apply mitigations while waiting for an official patch from Microsoft. Microsoft is working to release this as soon as possible, although no time frame has been given yet. Microsoft has further confirmed that this affects on-premises installations of Exchange Server and that users of Exchange Online are not affected by the vulnerabilities.
Microsoft has released a script for on-premises users that will mitigate the exploited SSRF vector and has released automatic URL rewriting mitigation for users of the Exchange Server Emergency Mitigation Service.
MORE FROM FORBESGoogle confirms 20 new Chrome security issues, 5 highly rated – update nowBy Davey Winder