Skip to main content
Need help with a cyber incident now?
Call 24/7: +31 88-2747800

ProxyNotShell Vulnerability

By 10 November 2022 CERT, SOC, Vulnerability
Exchange

This live blog contains information regarding the ProxyNotShell vulnerability. As soon as we have an update, we’ll add it to this post. More information about possible risks and details can be found at the bottom of this blog. Last updated on November 10, 2022.

Update November 10, 2022

15:30 | On the 8th of November 2022, Microsoft has released security updates for CVE-2022-41040 and CVE-2022-41082, also known as ProxyNotShell. It is strongly recommended to apply the security updates, even if you have applied the mitigation workaround published in our initial post. The security updates are available for:

  • Microsoft Exchange Server 2013
  • Microsoft Exchange Server 2016
  • Microsoft Exchange Server 2019

The mitigations can be removed, but only after applying the security updates.

For more information, please read:

Update October 10, 2022

14:00 | Since our last update Friday, Microsoft has published several updates on their initial blog regarding ProxyNotShell. The blog of Microsoft, including all updates, can be found here: https://msrc-blog.microsoft.com/2022/09/29/customer-guidance-for-reported-zero-day-vulnerabilities-in-microsoft-exchange-server/

Again, Microsoft has made important changes to the mitigation steps related to CVE-2022-41040. The pattern used for the URL rewrite rule has been improved, as bypasses were published for the initial pattern.

It is advised to review the updated blog of Microsoft and apply the updated mitigations.

Update October 5, 2022

12:00 | Microsoft has published an update on their initial blog regarding ProxyNotShell, which can be found here: https://msrc-blog.microsoft.com/2022/09/29/customer-guidance-for-reported-zero-day-vulnerabilities-in-microsoft-exchange-server/

Microsoft has made important changes to the mitigation steps related to CVE-2022-41040. The pattern used for the URL rewrite rule has been improved, as bypasses were published for the initial pattern.

It is advised to review the updated blog of Microsoft and apply the updated mitigations.

Update October 3, 2022

14:00 | We updated our blog about ProxyNotShell. Microsoft has published a second blog, providing more information. The blog can be found here.

The ProxyNotShell vulnerability is similar to ProxyShell, but ProxyNotShell requires authentication. ProxyNotShell consists of the following two registered vulnerabilities (CVE-numbers):

  • CVE-2022-41040 – a Server-Side Request Forgery (SSRF) vulnerability
  • CVE-2022-41082 – a remote code execution vulnerability

CVE-2022-41040 enables the execution of CVE-2022-41082, leading to an authenticated remote code execution. For both vulnerabilities authentication is required. However, the authentication required for exploitation can be that of a standard user. User credentials can be acquired via different attacks, such as password spray, phishing or purchased via the cybercriminal economy.

Microsoft Exchange Online is not vulnerable and no mitigating measures are needed. The following versions of on-premises Microsoft Exchange Server are vulnerable and require mitigative measures:

  • Microsoft Exchange Server 2013
  • Microsoft Exchange Server 2016
  • Microsoft Exchange Server 2019

Mitigation

As there is no patch available yet, it is recommended to apply the URL Rewrite instructions. This will mitigate the SSRF vulnerability CVE-2022-41040, as described in the first blog by Microsoft.

Microsoft has released a script to apply these mitigations, available at: https://microsoft.github.io/CSS-Exchange/Security/EOMTv2/

Additionally, to mitigate CVE-2022-41082, it is strongly recommended for on-premise Microsoft Exchange Server customers, to disable remote PowerShell access for non-admin users in your organization. Guidance on how to do this for single user or multiple users is available here.

Update September 30, 2022

14:00 | On 28 September 2022, Vietnamese IT security company GTSC published a blog in which they described two zero-day vulnerabilities in on-premises Microsoft Exchange Servers. The vulnerabilities are called ProxyNotShell, due to great similarities with the ProxyShell vulnerabilities from august 2021.

There is currently limited information available with regards to the vulnerabilities, impact and mitigating measures. This blog will be updated as more information becomes available.

Reason and background of this blog

This blog contains information about vulnerabilities, the possible risk and advice on how to prevent or limit damage. Below are the possible risks, details and background information.

Vulnerability information

On 28 September 2022, Vietnamese IT security company GTSC published a blog in which they described two zero-day vulnerabilities in on-premises Microsoft Exchange Servers. The vulnerabilities are called ProxyNotShell, due to great similarities with the ProxyShell vulnerabilities from august 2021.

There is currently limited information available with regards to the vulnerabilities, impact and mitigating measures. This blog will be updated as more information becomes available.

Potential Risk

The vulnerabilities allows an attacker remote code execution capabilities on on-premises Microsoft Exchange Servers. An attacker needs valid credentials to exploit the vulnerabilities. Microsoft warns that the vulnerabilities are currently being exploited.

Detail info

The Vietnamese IT security company GTSC claims to have found two unknown vulnerabilities in on-premises Microsoft Exchange Servers. GTSC discovered the vulnerabilities while investigating a security incident. The so-called zero-day vulnerabilities have been confirmed by Microsoft and are registered under the following CVE-numbers:

  • CVE-2022-41040 – a Server-Side Request Forgery (SSRF) vulnerability
  • CVE-2022-41082 – a remote code execution vulnerability

There are currently no patches available. It is advised to follow this blog for the latest development and to install patches as soon as they become available.

Microsoft states that Exchange Online is not vulnerable and no mitigating measures are needed. The following vulnerable on-premises Exchange versions require mitigating measures:

  • Microsoft Exchange Server 2013
  • Microsoft Exchange Server 2016
  • Microsoft Exchange Server 2019

GTSC and Microsoft both describe a number of mitigating measures. It’s advised to use the instructions Microsoft has published in their blog.

Subscribe

Do you want to be informed in time? Sign up for our technical updates

Would you like to receive these critical vulnerabilities by e-mail from now on? Enter your e-mail address below.

Tesorion uses your personal data to send out requested information and possibly for contact by telephone and for marketing and sales purposes. You can change your preferences whenever you want. Read our privacy policy for more information.