Microsoft Exchange Vulnerability

By Autumn Gamble on October 18, 2022

Executive Summary

Microsoft Exchange 2019 Cumulative Update 23 and earlier versions are vulnerable to a server-side request forgery (SSRF) attack and remote code execution. An authenticated attacker can use the combination of these two vulnerabilities to elevate privileges and execute arbitrary code on the target Microsoft exchange server [1]. Currently, Microsoft is aware of limited targeted attacks using these two vulnerabilities. There are multiple reports detailing the active exploitation of these vulnerabilities. Government Technology & Services Coalition (GTSC), the Vietnamese cybersecurity company that discovered the two vulnerabilities, reported that they were exploited in early August 2022. According to the Government Technology & Services Coalition (GTSC) report, cyber threat actors (CTAs) are chaining the vulnerabilities to create backdoors for persistence or to move laterally in the victim network [3].

Background

Microsoft Exchange is an email server typically associated with government, businesses, or school. The observed attack appears to have implemented CVE-2022-41040 to gain privileged access and CVE-2022-41082 to perform remote code execution via PowerShell [1]. CVE-2022-41040 is a Microsoft Exchange Server Elevation of Privilege Vulnerability which has a base score of High 8.8 with the weakness being improper privilege management [4]. If CVE-2022-41040 is successfully exploited, it may be chained with CVE-2022-41082. CVE-2022-41082 is the Microsoft Exchange Server Remote Code execution vulnerability with a base score of High 8.8 as well [5]. Microsoft Security Research Center has acknowledged the vulnerability and provided guidance for mitigation. The guidance highlights that Microsoft Exchange Online customers will be provided with detection and mitigation defenses automatically from Microsoft’s managed Infrastructure, informing them of any attempts to exploit these vulnerabilities [2]. Depending on the privileges associated with the account an attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Full details are not being disclosed at this time due to the status of an active vulnerability.

Impact

There are approximately 117,545 companies using Microsoft exchange. The companies using Microsoft Exchange are most often found in United States and in the Information Technology and Services industry. Microsoft Exchange is most often used by companies with 50-200 employees and 1M-10M dollars in revenue [6]. Currently, the entities in the high-risk category are large and medium government entities, as well as large and medium business entities. Medium risk is present for small government entities and small business entities. Home users are at a low risk [3]. The systems affected are Microsoft Exchange Server 2013, Microsoft Exchange Server 2016, and Microsoft Exchange Server 2019. An authenticated remote attacker can perform server-side request forgery (SSRF) attacks to escalate privileges and execute arbitrary PowerShell code on vulnerable Microsoft Exchange servers. As the attack is targeted against Microsoft Exchange Mailbox server, the attacker can potentially gain access to other resources via lateral movement into Exchange and Active Directory environments [1].

Conclusion

Microsoft Exchange remains at risk until Microsoft provides a patch and the patch has been applied, but there is no timeframe for when a patch will be available to customers. In the meantime, Microsoft is recommending mitigation with current updates, which can currently be found at https://msrc-blog.microsoft.com/2022/09/29/customer-guidance-for-reported-zero-day-vulnerabilities-in-microsoft-exchange-server/. However, security researcher Jang documented how a potential attacker could bypass the proposed mitigation with little effort, and researchers at Government Technology & Services Coalition (GTSC) confirmed the bypass. Researchers have also warned that users with a hybrid setup combining on-premises and cloud deployment of exchange are also vulnerable.[3].

References

[1] V. Sarvepalli, “CERT/CC Vulnerability note vu#915563 ,” VU#915563 – Microsoft Exchange vulnerable to server-side request forgery and remote code execution., 03-Oct-2022. [Online]. Available: https://kb.cert.org/vuls/id/915563. [Accessed: 13-Oct-2022].

[2] Msrc, Microsoft Security Response Center, 08-Oct-2022. [Online]. Available: https://msrc-blog.microsoft.com/2022/09/29/customer-guidance-for-reported-zero-day-vulnerabilities-in-microsoft-exchange-server/. [Accessed: 13-Oct-2022].

[3] “Multiple vulnerabilities in Microsoft Exchange Server could allow for remote code execution,” CIS. [Online]. Available: https://www.cisecurity.org/advisory/multiple-vulnerabilities-in-microsoft-exchange-server-could-allow-for-remote-code-execution_2022-117. [Accessed: 13-Oct-2022].

[4] “CVE-2022-41040 Detail,” NVD, 02-Oct-2022. [Online]. Available: https://nvd.nist.gov/vuln/detail/CVE-2022-41040. [Accessed: 13-Oct-2022].

[5] “CVE-2022-41082 Detail,” NVD, 02-Oct-2022. [Online]. Available: https://nvd.nist.gov/vuln/detail/CVE-2022-41082. [Accessed: 13-Oct-2022].

[6] “Companies using Microsoft Exchange,” Who uses Microsoft Exchange? [Online]. Available: https://enlyft.com/tech/products/microsoft-exchange. [Accessed: 13-Oct-2022].