You are here

Home › Microsoft Exchange RCE/SSRF Vulnerability

Microsoft Exchange RCE/SSRF Vulnerability

Submitted on 4. October 2022 - 14:21 by rischi.
Last update on 4. October 2022 - 16:00.
IDs: 
CVE-2022-41040, CVE-2022-41082
Keywords: 
exchange, ssrf, rce
Description: 

Microsoft is investigating two reported zero-day vulnerabilities affecting Microsoft Exchange Server 2013, Exchange Server 2016, and Exchange Server 2019. The first one, identified as CVE-2022-41040, is a Server-Side Request Forgery (SSRF) vulnerability, and the second one, identified as CVE-2022-41082, allows Remote Code Execution (RCE) when PowerShell is accessible to the attacker [1].

Airlock Gateway may block certain attack payloads but does not prevent exploitation of the vulnerabilities in general.

Resolution: 

We recommend applying patches from Microsoft to fix the root cause as soon as available.

Microsoft published a workaround to prevent exploitation of the vulnerability (see [1]). Alternatively, you can configure the following Deny Rule on Airlock Gateway as a virtual patch to prevent exploitation:

Pattern type: Path
Case-sensitivity: NO (default)
Invert: OFF (default)
Multiple single line Regex: ON (default)
Pattern: 

autodiscover\.json.*Powershell

Note: The pattern is more "aggressive" than similar patterns communicated by Microsoft [1] due to the newest known evasion techniques. We do not expect false positive blocks.

Enable the Deny Rule on the Exchange Autodiscover mappings.

Airlock Vulnerability Status: 
Does not affect Airlock
Back-end Vulnerability Status: 
Back-ends may be vulnerable, see resolution
Reference: 
[1] Customer Guidance for Reported Zero-day Vulnerabilities in Microsoft Exchange Server
© Ergon Informatik AG