How to Mitigate CVE-2022-41040- A 0-Day SSRF Vulnerability in Microsoft Exchange Server

Microsoft released its customer guidance on Thursday, reporting two new zero-day flaws that specifically affect Microsoft’s 2013, 2016, and 2019 versions. The two vulnerabilities are named CVE-2022-41040 (0-Day SSRF vulnerability in Microsoft Exchange Server) and CVE-2022-41082 (Remote Code Execution vulnerability). The attack was first observed in early August when the attackers tried to use web-based backdoors to get easy access to the internet from any browser. Since advisory can compromise the Exchange servers by chaining both the flaws together, it is highly required to fix the flaws. Microsoft said it is working on the release of patch to fix the flaws permanently. In the mean time, Microsoft has recommended to mitigate the flaws. Let’s see how to mitigate CVE-2022-41040, a 0-Day SSRF vulnerability in Microsoft Exchange Server, in this post.

What are Server-Side Request Forgery and Remote Code Execution Attacks?

Server-Side Request Forgery (SSRF) is an attack involving attackers getting access to an application supporting data imports from URLs. It allows them to abuse the functionality of a server or manipulate the URLs by replacing them with new ones. When an attacker controls the URLs, they can give commands to the servers to read data to the tampered/altered URL. The attacker can use this type of attack to tricks the server into sending malicious requests to other servers or services that are accessible by the server, such as internal network services or databases. This type of attack can be used to gain access to sensitive information or to launch other types of attacks, such as denial of service (DoS) attacks.

On the other hand, Remote Code Execution (RCE) involves an attacker executing malicious code on the systems remotely. Once the hacker gets into the system through RCE vulnerability, he can process malware execution or even have complete control over the affected system.

Summary of CVE-2022-41040:

CVE-2022-41040 is a 0-day SSRF vulnerability in Microsoft Exchange Servers. Its exploitation can also allow an attacker to trigger CVE-2022-41082 remotely. The flaw has got the CVSS score 8.8 out of 10. 

Summary of CVE-2022-41082:

CVE-2022-41082 is a RCE vulnerability that can be exploited by an authenticated attacker remotely. It resembles ProxyShell, discovered in 2021 by Orange Tsai. The CVSSv3 score for this vulnerability is 8.8. 

“These attacks installed the Chopper web shell to facilitate hands-on-keyboard access, which the attackers used to perform Active Directory reconnaissance and data exfiltration.”
– Microsoft

How to Detect CVE-2022-41040 and CVE-2022-41082 Vulnerabilities?

As such, there are no such detection queries specific to detect the compromise. Microsoft has published guidelines for the users of Microsoft Sentinel to hunt malicious WebShells. 

GTSC has published a detailed analysis of a use case pertaining to this attack. In its post, it has detailed post-exploitations activities, Indicators of Compromises, files involved in the attack campaign, and a technical malware analysis of the sample PowerShell and DLL files. Moreover, GTSC has written a few detection and mitigation tips with a PowerShell command and a small tool to scan IIS logs that helps in the detection. 

Method 1: Use PowerShell command:

Get-ChildItem -Recurse -Path <Path_IIS_Logs> -Filter "*.log" | Select-String -Pattern 'powershell.*autodiscover/.json.*/@.*200 

Method 2: IIS logs analyzer tool:

A tool created by GTSC that helps to detect the infection faster than the PowerShell command. The link to download: https://github.com/ncsgroupvn/NCSE0Scanner

Other than these detection mechanisms, you can use your Anti-Malware and Threat Detection solutions to detect the infection. Try to gather this information with the help of your security teams. 

• Possible web shell installation 
• Possible IIS web shell 
• Suspicious Exchange Process Execution 
• Possible exploitation of Exchange Server vulnerabilities 
• Suspicious processes indicative of a web shell 
• Possible IIS compromise 

IoCs captured by GTSC:

Webshell:

File Name: pxh4HG1v.ashx
Hash (SHA256): c838e77afe750d713e67ffeb4ec1b82ee9066cbe21f11181fd34429f70831ec1
Path: C:/Program Files/Microsoft/Exchange Server/V15/FrontEnd/HttpProxy/owa/auth/pxh4HG1v.ashx

File Name: RedirSuiteServiceProxy.aspx
Hash (SHA256): 65a002fe655dc1751add167cf00adf284c080ab2e97cd386881518d3a31d27f5
Path: C:/Program Files/Microsoft/Exchange Server/V15/FrontEnd/HttpProxy/owa/auth/RedirSuiteServiceProxy.aspx

File Name: RedirSuiteServiceProxy.aspx
Hash (SHA256): b5038f1912e7253c7747d2f0fa5310ee8319288f818392298fd92009926268ca
Path: C:/Program Files/Microsoft/Exchange Server/V15/FrontEnd/HttpProxy/owa/auth/RedirSuiteServiceProxy.aspx

File Name: Xml.ashx
Hash (SHA256): c838e77afe750d713e67ffeb4ec1b82ee9066cbe21f11181fd34429f70831ec1
Path: Xml.ashx

Filename: errorEE.aspx
SHA256: be07bd9310d7a487ca2f49bcdaafb9513c0c8f99921fdf79a05eaba25b52d257
Path: C:/Program Files/Microsoft/Exchange Server/V15/FrontEnd/HttpProxy/owa/auth/errorEE.aspx

DLL:

File name: Dll.dll

SHA256:

074eb0e75bb2d8f59f1fd571a8c5b76f9c899834893da6f7591b68531f2b5d82
45c8233236a69a081ee390d4faa253177180b2bd45d8ed08369e07429ffbe0a9
9ceca98c2b24ee30d64184d9d2470f6f2509ed914dafb87604123057a14c57c0
29b75f0db3006440651c6342dc3c0672210cfb339141c75e12f6c84d990931c3
c8c907a67955bcdf07dd11d35f2a23498fb5ffe5c6b5d7f36870cf07da47bff2

File name: 180000000.dll (Dump từ tiến trình Svchost.exe)

SHA256: 76a2f2644cb372f540e179ca2baa110b71de3370bb560aca65dcddbd7da3701e

IP:

• 125[.]212[.]220[.]48
• 5[.]180[.]61[.]17
• 47[.]242[.]39[.]92
• 61[.]244[.]94[.]85
• 86[.]48[.]6[.]69
• 86[.]48[.]12[.]64
• 94[.]140[.]8[.]48
• 94[.]140[.]8[.]113
• 103[.]9[.]76[.]208
• 103[.]9[.]76[.]211
• 104[.]244[.]79[.]6
• 112[.]118[.]48[.]186
• 122[.]155[.]174[.]188
• 125[.]212[.]241[.]134
• 185[.]220[.]101[.]182
• 194[.]150[.]167[.]88
• 212[.]119[.]34[.]11

URL:

• hxxp://206[.]188[.]196[.]77:8080/themes.aspx

C2:

• 137[.]184[.]67[.]33

How to Mitigate CVE-2022-41040 and CVE-2022-41082 Vulnerabilities?

However, Microsoft has already given directions on how to Mitigate CVE-2022-41040 and CVE-2022-41082. The detections are made to protect the customers using on-premise Microsoft Exchange servers. 

Microsoft has recommended enabling the URL Rewrite module on Exchange servers. Anyways, it doesn’t know to be impacted its functionality. Additionally, Microsoft recommends blocking these two HTTP and HTTPS ports (5985 & 5986) used to run PowerShell remotely, which would also be considered to be in minimizing the attack surface.

The mitigation will be automatically enabled if you’re using Exchange Server EMS (2016 and 2019). However, the best practice to fix the problem is to add a blocking rule in IIS Manager -> Default Web Site -> URL Rewrite -> Actions, following the steps given below. It will block all the known patterns and protect your systems from external attacks. 

CVE-2022-41040 and CVE-2022-41082 vulnerabilities in Microsoft Exchange Server are chained to increase the attack surface; if an attacker exploits the former, they can also trigger the latter. The exploitation enables an attacker to process malware execution or even have complete control over the affected system. To avoid this exploitation, it is crucial to follow the steps for detection and how to mitigate CVE-2022-41040 and CVE-2022-41082. 

We hope this post will help you know how to mitigate CVE-2022-41040, a 0-Day SSRF vulnerability in Microsoft Exchange Server. Please share this post and help to secure the digital world. Visit our social media page on Facebook, LinkedIn, Twitter, Telegram, Tumblr, & Medium and subscribe to receive updates like this. 

• 12 Best Security Settings in Windows 11
• How to Patch These Two RCE Vulnerabilities in WhatsApp
• A Critical RCE Vulnerability in HP Printer Devices- Let’s See How to Fix CVE-2022-28721(2)
• How to Fix CVE-2022-35823- A Remote Code Execution Vulnerability in Microsoft SharePoint
• Detect Microsoft Exchange 0 Day Exploit