How to Mitigate CVE-2022-41040- A 0-Day SSRF Vulnerability in Microsoft Exchange Server

Microsoft released its customer guidance on Thursday, reporting two new zero-day flaws that specifically affect Microsoft’s 2013, 2016, and 2019 versions. The two vulnerabilities are named CVE-2022-41040 (0-Day SSRF vulnerability in Microsoft Exchange Server) and CVE-2022-41082 (Remote Code Execution vulnerability). The attack was first observed in early August when the attackers tried to use web-based backdoors to get easy access to the internet from any browser. Since advisory can compromise the Exchange servers by chaining both the flaws together, it is highly required to fix the flaws. Microsoft said it is working on the release of patch to fix the flaws permanently. In the mean time, Microsoft has recommended to mitigate the flaws. Let’s see how to mitigate CVE-2022-41040, a 0-Day SSRF vulnerability in Microsoft Exchange Server, in this post.

What are Server-Side Request Forgery and Remote Code Execution Attacks?

Server-Side Request Forgery (SSRF) is an attack involving attackers getting access to an application supporting data imports from URLs. It allows them to abuse the functionality of a server or manipulate the URLs by replacing them with new ones. When an attacker controls the URLs, they can give commands to the servers to read data to the tampered/altered URL. The attacker can use this type of attack to tricks the server into sending malicious requests to other servers or services that are accessible by the server, such as internal network services or databases. This type of attack can be used to gain access to sensitive information or to launch other types of attacks, such as denial of service (DoS) attacks.

On the other hand, Remote Code Execution (RCE) involves an attacker executing malicious code on the systems remotely. Once the hacker gets into the system through RCE vulnerability, he can process malware execution or even have complete control over the affected system.

Summary of CVE-2022-41040:

CVE-2022-41040 is a 0-day SSRF vulnerability in Microsoft Exchange Servers. Its exploitation can also allow an attacker to trigger CVE-2022-41082 remotely. The flaw has got the CVSS score 8.8 out of 10. 

Associated CVE ID CVE-2022-41040
Description A 0-Day SSRF Vulnerability in Microsoft Exchange Server
Associated ZDI ID
CVSS Score 8.8 High
Vector CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Impact Score
Exploitability Score
Attack Vector (AV) Network
Attack Complexity (AC) Low
Privilege Required (PR) Low
User Interaction (UI) None
Scope Unchanged
Confidentiality (C) High
Integrity (I) High
availability (a) High

Summary of CVE-2022-41082:

CVE-2022-41082 is a RCE vulnerability that can be exploited by an authenticated attacker remotely. It resembles ProxyShell, discovered in 2021 by Orange Tsai. The CVSSv3 score for this vulnerability is 8.8. 

Associated CVE ID CVE-2022-41082
Description A RCE Vulnerability in Microsoft Exchange Server
Associated ZDI ID
CVSS Score 8.8 High
Vector CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Impact Score
Exploitability Score
Attack Vector (AV) Network
Attack Complexity (AC) Low
Privilege Required (PR) Low
User Interaction (UI) None
Scope Unchanged
Confidentiality (C) High
Integrity (I) High
availability (a) High

“These attacks installed the Chopper web shell to facilitate hands-on-keyboard access, which the attackers used to perform Active Directory reconnaissance and data exfiltration.”
– Microsoft

Attack flow of How does attackers compromise the Exchange Servers using CVE-2022-41040?
Source: Microsoft

How to Detect CVE-2022-41040 and CVE-2022-41082 Vulnerabilities?

As such, there are no such detection queries specific to detect the compromise. Microsoft has published guidelines for the users of Microsoft Sentinel to hunt malicious WebShells. 

GTSC has published a detailed analysis of a use case pertaining to this attack. In its post, it has detailed post-exploitations activities, Indicators of Compromises, files involved in the attack campaign, and a technical malware analysis of the sample PowerShell and DLL files. Moreover, GTSC has written a few detection and mitigation tips with a PowerShell command and a small tool to scan IIS logs that helps in the detection. 

Method 1: Use PowerShell command:

Get-ChildItem -Recurse -Path <Path_IIS_Logs> -Filter "*.log" | Select-String -Pattern 'powershell.*autodiscover/.json.*/@.*200 

Method 2: IIS logs analyzer tool:

A tool created by GTSC that helps to detect the infection faster than the PowerShell command. The link to download: https://github.com/ncsgroupvn/NCSE0Scanner

Other than these detection mechanisms, you can use your Anti-Malware and Threat Detection solutions to detect the infection. Try to gather this information with the help of your security teams. 

  • Possible web shell installation 
  • Possible IIS web shell 
  • Suspicious Exchange Process Execution 
  • Possible exploitation of Exchange Server vulnerabilities 
  • Suspicious processes indicative of a web shell 
  • Possible IIS compromise 

IoCs captured by GTSC:

Webshell:

File Name: pxh4HG1v.ashx
Hash (SHA256): c838e77afe750d713e67ffeb4ec1b82ee9066cbe21f11181fd34429f70831ec1
Path: C:/Program Files/Microsoft/Exchange Server/V15/FrontEnd/HttpProxy/owa/auth/pxh4HG1v.ashx

File Name: RedirSuiteServiceProxy.aspx
Hash (SHA256): 65a002fe655dc1751add167cf00adf284c080ab2e97cd386881518d3a31d27f5
Path: C:/Program Files/Microsoft/Exchange Server/V15/FrontEnd/HttpProxy/owa/auth/RedirSuiteServiceProxy.aspx

File Name: RedirSuiteServiceProxy.aspx
Hash (SHA256): b5038f1912e7253c7747d2f0fa5310ee8319288f818392298fd92009926268ca
Path: C:/Program Files/Microsoft/Exchange Server/V15/FrontEnd/HttpProxy/owa/auth/RedirSuiteServiceProxy.aspx

File Name: Xml.ashx
Hash (SHA256): c838e77afe750d713e67ffeb4ec1b82ee9066cbe21f11181fd34429f70831ec1
Path: Xml.ashx

Filename: errorEE.aspx
SHA256: be07bd9310d7a487ca2f49bcdaafb9513c0c8f99921fdf79a05eaba25b52d257
Path: C:/Program Files/Microsoft/Exchange Server/V15/FrontEnd/HttpProxy/owa/auth/errorEE.aspx

DLL:

File name: Dll.dll

SHA256:

074eb0e75bb2d8f59f1fd571a8c5b76f9c899834893da6f7591b68531f2b5d82
45c8233236a69a081ee390d4faa253177180b2bd45d8ed08369e07429ffbe0a9
9ceca98c2b24ee30d64184d9d2470f6f2509ed914dafb87604123057a14c57c0
29b75f0db3006440651c6342dc3c0672210cfb339141c75e12f6c84d990931c3
c8c907a67955bcdf07dd11d35f2a23498fb5ffe5c6b5d7f36870cf07da47bff2

File name: 180000000.dll (Dump từ tiến trình Svchost.exe)

SHA256: 76a2f2644cb372f540e179ca2baa110b71de3370bb560aca65dcddbd7da3701e

IP:

  • 125[.]212[.]220[.]48
  • 5[.]180[.]61[.]17
  • 47[.]242[.]39[.]92
  • 61[.]244[.]94[.]85
  • 86[.]48[.]6[.]69
  • 86[.]48[.]12[.]64
  • 94[.]140[.]8[.]48
  • 94[.]140[.]8[.]113
  • 103[.]9[.]76[.]208
  • 103[.]9[.]76[.]211
  • 104[.]244[.]79[.]6
  • 112[.]118[.]48[.]186
  • 122[.]155[.]174[.]188
  • 125[.]212[.]241[.]134
  • 185[.]220[.]101[.]182
  • 194[.]150[.]167[.]88
  • 212[.]119[.]34[.]11

URL:

  • hxxp://206[.]188[.]196[.]77:8080/themes.aspx

C2:

  • 137[.]184[.]67[.]33

How to Mitigate CVE-2022-41040 and CVE-2022-41082 Vulnerabilities?

However, Microsoft has already given directions on how to Mitigate CVE-2022-41040 and CVE-2022-41082. The detections are made to protect the customers using on-premise Microsoft Exchange servers. 

Microsoft has recommended enabling the URL Rewrite module on Exchange servers. Anyways, it doesn’t know to be impacted its functionality. Additionally, Microsoft recommends blocking these two HTTP and HTTPS ports (5985 & 5986) used to run PowerShell remotely, which would also be considered to be in minimizing the attack surface.

The mitigation will be automatically enabled if you’re using Exchange Server EMS (2016 and 2019). However, the best practice to fix the problem is to add a blocking rule in IIS Manager -> Default Web Site -> URL Rewrite -> Actions, following the steps given below. It will block all the known patterns and protect your systems from external attacks. 

Time needed: 15 minutes.

How to Mitigate CVE-2022-41040 and CVE-2022-41082 Vulnerabilities

  1. Open IIS Manager on the Exchange server

    In Server Manager and go to Tools –> Internet Information Services (IIS) ManagerAn image to open 'IIS Manager' from 'Server Manager'

  2. Open ‘URL Rewrite’ feature for ‘Autodiscover’ under ‘Default Web Site’ in IIS Manager

    In IIS Manager, navigate to Hostname (This this sample – EXCH19) –> Sites –> Default Web Site –> Autodiscover.
    Select ‘URL Rewrite‘ under ‘IIS‘.
    In the right-pane, click on ‘Open Feature‘ under ‘Actions‘.image

  3. Add a rule under ‘URL Rewrite’

    Under ‘URL Rewrite‘ feature, click on ‘Add Rule(s)‘ under ‘Actions‘ to create a new Inbound rule.An image to 'Add Rule(s)' under 'URL Rewrite'

  4. Add a new Rule for ‘Request blocking’

    In the Add Rule(s) window, select ‘Request blocking‘ under ‘Inbound rules‘.  This will create a rule to block client requests based on certain text patterns in the URL path, query string, HTTP headers, and server variables. Click on ‘OK‘ to proceed further.An image to select 'Inbound Rule' as 'Request Blocking'

  5. Update Pattern (URL Path) in Request Blocking Rule

    In ‘Add Request Blocking Rule‘ window, update the string “.*autodiscover/.json.*/@.*Powershell.*” (excluding quotes) and click on ‘OK‘.An image to update 'Pattern (URL Path)' under 'Request Blocking Rule'

  6. Edit the Conditions for the Inbound Rule with the Pattern “.*autodiscover/.json.*/@.*Powershell.*”

    In ‘URL Rewrite‘ page, expand ‘RequestBlockingRule1‘ and select the Rule with the Pattern “.*autodiscover/.json.*/@.*Powershell.*” and click on ‘Edit‘ under ‘Conditions’.An image to edit the Inbound rule

  7. Update Condition input from {URL} to {REQUEST_URI}

    Under ‘Edit Condition‘ page, change the ‘Condition input‘ from {URL} to {REQUEST_URI} and click on ‘OKAn image to update the 'Condition input'

  8. Final Inbound Rule looks as below,

    An image of 'URL Rewrite' settings after modification

CVE-2022-41040 and CVE-2022-41082 vulnerabilities in Microsoft Exchange Server are chained to increase the attack surface; if an attacker exploits the former, they can also trigger the latter. The exploitation enables an attacker to process malware execution or even have complete control over the affected system. To avoid this exploitation, it is crucial to follow the steps for detection and how to mitigate CVE-2022-41040 and CVE-2022-41082. 

We hope this post will help you know how to mitigate CVE-2022-41040, a 0-Day SSRF vulnerability in Microsoft Exchange Server. Please share this post and help to secure the digital world. Visit our social media page on FacebookLinkedInTwitterTelegramTumblr, & Medium and subscribe to receive updates like this. 

原创文章,作者:ItWorker,如若转载,请注明出处:https://blog.ytso.com/290963.html

(0)
上一篇 2022年11月18日
下一篇 2022年11月18日

相关推荐

发表回复

登录后才能评论