Following reports of exploits in the open, Microsoft has acknowledged that it is looking into two zero-day security vulnerabilities that affect Exchange Server 2013, 2016, and 2019.
First, CVE-2022-41040 is a Server-Side Request Forgery (SSRF) vulnerability, and second, CVE-2022-41082 allows remote code execution (RCE) when PowerShell is available to the attacker.
The business has also stated that it is aware of “limited targeted assaults” that have used the vulnerabilities to get initial access to targeted systems, but it has stressed that authenticated access to the vulnerable Exchange Server is required for effective exploitation.
With the SSRF weakness, an authenticated adversary can remotely cause arbitrary code execution, as demonstrated by the assaults revealed by Microsoft.
Redmond has stated it is working on an “expedited timeframe” to release a patch, and in the meanwhile, it is recommending that customers that host their own instances of Microsoft Exchange implement a blocking rule in IIS Manager.
It’s important to note that Microsoft Exchange Online users are not impacted by this issue. Adding the new blocking rule entails the following procedures –
Launch the Internet Information Server Manager.
The Default Website Should Be Enhanced
Choos e Autodiscover
Select URL Rewrite under Features.
Select Add Rules from the Actions menu on the right.
Then, expand the rule, choose the rule with the Pattern “.
*auto-discover.json.*@.*Powershell.*” (without the quotes), and click Edit under Conditions.
Then, select Request Blocking and click OK to add the string.
Substitute “REQUEST URI” for “URL” in the if statement.