How to mitigate zero-day vulnerabilities in Microsoft Exchange Server

Microsoft published a blog post recently detailing mitigation and detection steps regarding the new vulnerabilities

Earlier in the news: Microsoft introduces Zero Trust security to hardware in Windows 11

The first to be reported is CVE-2022-41040 which is a Server-Side Request Forgery (SSRF) vulnerability, and the other one is CVE-2022-41082, which allows Remote Code Execution (RCE) when PowerShell is accessible to the attacker.

Microsoft Exchange Server is a mail server and calendaring server developed by Microsoft and runs on Windows Server operating systems. It is worth noting that Exchange Server has integrated intelligent storage and search functionalities. Basically, Microsoft designed Exchange Server to give users access to the messaging platform from mobile devices, desktops, and web-based systems. With the integrated telephone functions, Exchange Server also supports voice messages.

Note:  It has been reported by Microsoft that CVE-2022-41040 can enable an authenticated attacker to remotely trigger CVE-2022-41082. But authenticated access to the vulnerable Exchange Server is necessary to successfully exploit either vulnerability.

You can use the following PowerShell command to check whether servers are already compromised, GTSC released this guideline as a tool to scan IIS log files (stored by default in the %SystemDrive%\inetpub\logs\LogFiles folder).

You might be interested in The Best Way to Recover Deleted Files – Disk Drill and How to Easily Block or Unblock Someone on Messenger and Facebook

Mitigations to zero-day vulnerabilities in Microsoft Exchange Server

GTSC’s direct incident response process recorded more than 1 organization being the victims of an attack campaign exploiting this 0-day vulnerability. In addition, we are also concerned that there may be many other organizations that have been exploited but have not been discovered.

While waiting for the official patch from the company, GTSC provides a temporary remedy to reduce the vulnerability of attacks by adding a rule to block requests with indicators of attack through the URL Rewrite Rule module on the IIS server

Microsoft Exchange Online is not affected. It has detections and mitigations to protect customers. As always, Microsoft is monitoring these detections for malicious activity and responds to protect customers.

For Microsoft Exchange Server customers, there are three mitigation options. These are highlighted below:

Option 1: For customers who have the Exchange Emergency Mitigation Service (EEMS) enabled, Microsoft released the URL Rewrite mitigation for Exchange Server 2016 and Exchange Server 2019. The mitigation will be enabled automatically. Please see this blog post for more information on this service and how to check active mitigations.

Option 2: Microsoft created the following script for the URL Rewrite mitigation steps. https://aka.ms/EOMTv2 

What does the EOM Mitigation Tool v2 script do?

The Exchange On-premises Mitigation Tool v2 script (EOMTv2.ps1) can be used to mitigate CVE-2022-41040. This script does the following:

  • Check for the latest version of EOMTv2.ps1 and download it.
  • Mitigate against current known attacks using CVE-2022-41040 via a URL Rewrite configuration

The default recommended way of using EOMTv2.ps1. This will apply the URL rewrite mitigation. If the IIS URL rewrite module is not installed, this will also download and install the module.

To roll back EOMTv2 mitigations run the following command below.

.\EOMTv2.ps1 -Rollbackmitigation

Option 3: Customers can as well follow the below instructions, which are currently being discussed publicly and are successful in breaking current attack chains. 

Open IIS Manager. Then select Default Web Site. In the Feature View, click URL Rewrite as shown below:

In the Actions pane on the right-hand side, click Add Rule(s)

Select Request Blocking and click OK. 

Add the string “.*autodiscover\.json.*\@.*Powershell.*” (excluding quotes). Select Regular Expression under Using.

Select Abort Request under How to block and then click OK.

Expand the rule and select the rule with the pattern .*autodiscover\.json.*\@.*Powershell.* and click Edit under Conditions

Change the Condition input from {URL} to {REQUEST_URI}

Note: If you MUST change any rule that you have created, it is best to delete and recreate it.

We hope you find this guide helpful. Kindly drop a comment below for any question.

Leave a Reply

0 Comments
Inline Feedbacks
View all comments