How to Mitigate CVE-2022-41040- A 0-Day SSRF Vulnerability in Microsoft Exchange Server

Microsoft released its customer guidance on Thursday, reporting two new zero-day flaws that specifically affect Microsoft’s 2013, 2016, and 2019 versions. The two vulnerabilities are named CVE-2022-41040 (0-Day SSRF vulnerability in Microsoft Exchange Server) and CVE-2022-41082 (Remote Code Execution vulnerability). The attack was first observed in early August when the attackers tried to use web-based backdoors to get easy access to the internet from any browser. Since advisory can compromise the Exchange servers by chaining both the flaws together, it is highly required to fix the flaws. Microsoft said it is working on the release of patch to fix the flaws permanently. In the mean time, Microsoft has recommended to mitigate the flaws. Let’s see how to mitigate CVE-2022-41040, a 0-Day SSRF vulnerability in Microsoft Exchange Server, in this post.

What are Server-Side Request Forgery and Remote Code Execution Attacks?

Server-Side Request Forgery (SSRF) is an attack involving attackers getting access to an application supporting data imports from URLs. It allows them to abuse the functionality of a server or manipulate the URLs by replacing them with new ones. When an attacker controls the URLs, they can give commands to the servers to read data to the tampered/altered URL. The attacker can use this type of attack to tricks the server into sending malicious requests to other servers or services that are accessible by the server, such as internal network services or databases. This type of attack can be used to gain access to sensitive information or to launch other types of attacks, such as denial of service (DoS) attacks.

On the other hand, Remote Code Execution (RCE) involves an attacker executing malicious code on the systems remotely. Once the hacker gets into the system through RCE vulnerability, he can process malware execution or even have complete control over the affected system.

Summary of CVE-2022-41040:

CVE-2022-41040 is a 0-day SSRF vulnerability in Microsoft Exchange Servers. Its exploitation can also allow an attacker to trigger CVE-2022-41082 remotely. The flaw has got the CVSS score 8.8 out of 10. 

Summary of CVE-2022-41082:

CVE-2022-41082 is a RCE vulnerability that can be exploited by an authenticated attacker remotely. It resembles ProxyShell, discovered in 2021 by Orange Tsai. The CVSSv3 score for this vulnerability is 8.8. 

“These attacks installed the Chopper web shell to facilitate hands-on-keyboard access, which the attackers used to perform Active Directory reconnaissance and data exfiltration.”– Microsoft

Source: Microsoft

How to Detect CVE-2022-41040 and CVE-2022-41082 Vulnerabilities?

As such, there are no such detection queries specific to detect the compromise. Microsoft has published guidelines for the users of Microsoft Sentinel to hunt malicious WebShells. 

GTSC has published a detailed analysis of a use case pertaining to this attack. In its post, it has detailed post-exploitations activities, Indicators of Compromises, files involved in the attack campaign, and a technical malware analysis of the sample PowerShell and DLL files. Moreover, GTSC has written a few detection and mitigation tips with a PowerShell command and a small tool to scan IIS logs that helps in the detection. 

Method 1: Use PowerShell command:

Get-ChildItem -Recurse -Path <Path_IIS_Logs> -Filter "*.log" | Select-String -Pattern 'powershell.*autodiscover\.json.*\@.*200 

Method 2: IIS logs analyzer tool:

A tool created by GTSC that helps to detect the infection faster than the PowerShell command. The link to download: https://github.com/ncsgroupvn/NCSE0Scanner

Other than these detection mechanisms, you can use your Anti-Malware and Threat Detection solutions to detect the infection. Try to gather this information with the help of your security teams. 

IoCs captured by GTSC:

Webshell:

File Name: pxh4HG1v.ashx
Hash (SHA256): c838e77afe750d713e67ffeb4ec1b82ee9066cbe21f11181fd34429f70831ec1
Path: C:\Program Files\Microsoft\Exchange Server\V15\FrontEnd\HttpProxy\owa\auth\pxh4HG1v.ashx

File Name: RedirSuiteServiceProxy.aspx
Hash (SHA256): 65a002fe655dc1751add167cf00adf284c080ab2e97cd386881518d3a31d27f5
Path: C:\Program Files\Microsoft\Exchange Server\V15\FrontEnd\HttpProxy\owa\auth\RedirSuiteServiceProxy.aspx

File Name: RedirSuiteServiceProxy.aspx
Hash (SHA256): b5038f1912e7253c7747d2f0fa5310ee8319288f818392298fd92009926268ca
Path: C:\Program Files\Microsoft\Exchange Server\V15\FrontEnd\HttpProxy\owa\auth\RedirSuiteServiceProxy.aspx

File Name: Xml.ashx
Hash (SHA256): c838e77afe750d713e67ffeb4ec1b82ee9066cbe21f11181fd34429f70831ec1
Path: Xml.ashx

Filename: errorEE.aspx
SHA256: be07bd9310d7a487ca2f49bcdaafb9513c0c8f99921fdf79a05eaba25b52d257
Path: C:\Program Files\Microsoft\Exchange Server\V15\FrontEnd\HttpProxy\owa\auth\errorEE.aspx

DLL:

File name: Dll.dll

SHA256:

074eb0e75bb2d8f59f1fd571a8c5b76f9c899834893da6f7591b68531f2b5d8245c8233236a69a081ee390d4faa253177180b2bd45d8ed08369e07429ffbe0a99ceca98c2b24ee30d64184d9d2470f6f2509ed914dafb87604123057a14c57c029b75f0db3006440651c6342dc3c0672210cfb339141c75e12f6c84d990931c3c8c907a67955bcdf07dd11d35f2a23498fb5ffe5c6b5d7f36870cf07da47bff2

File name: 180000000.dll (Dump từ tiến trình Svchost.exe)

SHA256: 76a2f2644cb372f540e179ca2baa110b71de3370bb560aca65dcddbd7da3701e

IP:

URL:

C2:

How to Mitigate CVE-2022-41040 and CVE-2022-41082 Vulnerabilities?

However, Microsoft has already given directions on how to Mitigate CVE-2022-41040 and CVE-2022-41082. The detections are made to protect the customers using on-premise Microsoft Exchange servers. 

Microsoft has recommended enabling the URL Rewrite module on Exchange servers. Anyways, it doesn’t know to be impacted its functionality. Additionally, Microsoft recommends blocking these two HTTP and HTTPS ports (5985 & 5986) used to run PowerShell remotely, which would also be considered to be in minimizing the attack surface.

The mitigation will be automatically enabled if you’re using Exchange Server EMS (2016 and 2019). However, the best practice to fix the problem is to add a blocking rule in IIS Manager -> Default Web Site -> URL Rewrite -> Actions, following the steps given below. It will block all the known patterns and protect your systems from external attacks. 

Step 1. Open IIS Manager on the Exchange server

In Server Manager and go to Tools –> Internet Information Services (IIS) Manager

Step 2. Open ‘URL Rewrite’ feature for ‘Autodiscover’ under ‘Default Web Site’ in IIS Manager

In IIS Manager, navigate to Hostname (This this sample – EXCH19) –> Sites –> Default Web Site –> Autodiscover.
Select ‘URL Rewrite‘ under ‘IIS‘.In the right-pane, click on ‘Open Feature‘ under ‘Actions‘.

Step 3. Add a rule under ‘URL Rewrite’

Under ‘URL Rewrite‘ feature, click on ‘Add Rule(s)‘ under ‘Actions‘ to create a new Inbound rule.

Step 4. Add a new Rule for ‘Request blocking’

In the Add Rule(s) window, select ‘Request blocking‘ under ‘Inbound rules‘.  This will create a rule to block client requests based on certain text patterns in the URL path, query string, HTTP headers, and server variables. Click on ‘OK‘ to proceed further.

Step 5. Update Pattern (URL Path) in Request Blocking Rule

In ‘Add Request Blocking Rule‘ window, update the string “.*autodiscover\.json.*\@.*Powershell.*” (excluding quotes) and click on ‘OK‘.

Step 6. Edit the Conditions for the Inbound Rule with the Pattern “.*autodiscover\.json.*\@.*Powershell.*”

In ‘URL Rewrite‘ page, expand ‘RequestBlockingRule1‘ and select the Rule with the Pattern “.*autodiscover\.json.*\@.*Powershell.*” and click on ‘Edit‘ under ‘Conditions’.

Step 7. Update Condition input from {URL} to {REQUEST_URI}

Under ‘Edit Condition‘ page, change the ‘Condition input‘ from {URL} to {REQUEST_URI} and click on ‘OK‘

Step 8. Final Inbound Rule looks as below,

CVE-2022-41040 and CVE-2022-41082 vulnerabilities in Microsoft Exchange Server are chained to increase the attack surface; if an attacker exploits the former, they can also trigger the latter. The exploitation enables an attacker to process malware execution or even have complete control over the affected system. To avoid this exploitation, it is crucial to follow the steps for detection and how to mitigate CVE-2022-41040 and CVE-2022-41082. 

We hope this post would help you know how to mitigate CVE-2022-41040, a 0-Day SSRF vulnerability in Microsoft Exchange Server. Please share this post and help to secure the digital world. Visit our social media page on Facebook, LinkedIn, Twitter, Telegram, Tumblr, Medium & Instagram, and subscribe to receive updates like this. 

You may also like these articles: