This live blog contains information regarding the ProxyNotShell vulnerability. As soon as we have an update, we’ll add it to this post. More information about possible risks and details can be found at the bottom of this blog. Last updated on December 27, 2022.
Update December 27, 2022
14:00 | On the 20th of December 2022, security company CrowdStrike has published a blog regarding the ProxyNotShell vulnerability. Microsoft released security updates in November 2022. Before the release of the security updates, several URL rewrite rules were advised as a workaround. CrowdStrike now describes an observation of a bypass of the latest version of the URL rewrite rule mitigations, allowing an adversary to exploit CVE-2022-41080 and CVE-2022-41082.
Microsoft has released security updates for CVE-2022-41040, CVE-2022-41080 and CVE-2022-41082. As the existing workarounds are known to be bypassed, it is strongly recommended to apply the security updates as soon as possible. The security updates are available for:
- Microsoft Exchange Server 2013
- Microsoft Exchange Server 2016
- Microsoft Exchange Server 2019
After applying the security updates, the mitigations can be removed.
For more information, please read:
- Crowdstrike blog – https://www.crowdstrike.com/blog/owassrf-exploit-analysis-and-recommendations/
- Microsoft security blog – https://msrc-blog.microsoft.com/2022/09/29/customer-guidance-for-reported-zero-day-vulnerabilities-in-microsoft-exchange-server/
- Microsoft Exchange SSU 11-2022 – https://techcommunity.microsoft.com/t5/exchange-team-blog/released-november-2022-exchange-server-security-updates/ba-p/3669045
Update November 10, 2022
15:30 | On the 8th of November 2022, Microsoft has released security updates for CVE-2022-41040 and CVE-2022-41082, also known as ProxyNotShell. It is strongly recommended to apply the security updates, even if you have applied the mitigation workaround published in our initial post. The security updates are available for:
- Microsoft Exchange Server 2013
- Microsoft Exchange Server 2016
- Microsoft Exchange Server 2019
The mitigations can be removed, but only after applying the security updates.
For more information, please read:
Update October 10, 2022
14:00 | Since our last update Friday, Microsoft has published several updates on their initial blog regarding ProxyNotShell. The blog of Microsoft, including all updates, can be found here: https://msrc-blog.microsoft.com/2022/09/29/customer-guidance-for-reported-zero-day-vulnerabilities-in-microsoft-exchange-server/
Again, Microsoft has made important changes to the mitigation steps related to CVE-2022-41040. The pattern used for the URL rewrite rule has been improved, as bypasses were published for the initial pattern.
It is advised to review the updated blog of Microsoft and apply the updated mitigations.
Update October 5, 2022
12:00 | Microsoft has published an update on their initial blog regarding ProxyNotShell, which can be found here: https://msrc-blog.microsoft.com/2022/09/29/customer-guidance-for-reported-zero-day-vulnerabilities-in-microsoft-exchange-server/
Microsoft has made important changes to the mitigation steps related to CVE-2022-41040. The pattern used for the URL rewrite rule has been improved, as bypasses were published for the initial pattern.
It is advised to review the updated blog of Microsoft and apply the updated mitigations.
Update October 3, 2022
14:00 | We updated our blog about ProxyNotShell. Microsoft has published a second blog, providing more information. The blog can be found here.
The ProxyNotShell vulnerability is similar to ProxyShell, but ProxyNotShell requires authentication. ProxyNotShell consists of the following two registered vulnerabilities (CVE-numbers):
- CVE-2022-41040 – a Server-Side Request Forgery (SSRF) vulnerability
- CVE-2022-41082 – a remote code execution vulnerability
CVE-2022-41040 enables the execution of CVE-2022-41082, leading to an authenticated remote code execution. For both vulnerabilities authentication is required. However, the authentication required for exploitation can be that of a standard user. User credentials can be acquired via different attacks, such as password spray, phishing or purchased via the cybercriminal economy.
Microsoft Exchange Online is not vulnerable and no mitigating measures are needed. The following versions of on-premises Microsoft Exchange Server are vulnerable and require mitigative measures:
- Microsoft Exchange Server 2013
- Microsoft Exchange Server 2016
- Microsoft Exchange Server 2019
Mitigation
As there is no patch available yet, it is recommended to apply the URL Rewrite instructions. This will mitigate the SSRF vulnerability CVE-2022-41040, as described in the first blog by Microsoft.
Microsoft has released a script to apply these mitigations, available at: https://microsoft.github.io/CSS-Exchange/Security/EOMTv2/
Additionally, to mitigate CVE-2022-41082, it is strongly recommended for on-premise Microsoft Exchange Server customers, to disable remote PowerShell access for non-admin users in your organization. Guidance on how to do this for single user or multiple users is available here.
Update September 30, 2022
14:00 | On 28 September 2022, Vietnamese IT security company GTSC published a blog in which they described two zero-day vulnerabilities in on-premises Microsoft Exchange Servers. The vulnerabilities are called ProxyNotShell, due to great similarities with the ProxyShell vulnerabilities from august 2021.
There is currently limited information available with regards to the vulnerabilities, impact and mitigating measures. This blog will be updated as more information becomes available.
Reason and background of this blog
This blog contains information about vulnerabilities, the possible risk and advice on how to prevent or limit damage. Below are the possible risks, details and background information.
Vulnerability information
On 28 September 2022, Vietnamese IT security company GTSC published a blog in which they described two zero-day vulnerabilities in on-premises Microsoft Exchange Servers. The vulnerabilities are called ProxyNotShell, due to great similarities with the ProxyShell vulnerabilities from august 2021.
There is currently limited information available with regards to the vulnerabilities, impact and mitigating measures. This blog will be updated as more information becomes available.
Potential Risk
The vulnerabilities allows an attacker remote code execution capabilities on on-premises Microsoft Exchange Servers. An attacker needs valid credentials to exploit the vulnerabilities. Microsoft warns that the vulnerabilities are currently being exploited.
Detail info
The Vietnamese IT security company GTSC claims to have found two unknown vulnerabilities in on-premises Microsoft Exchange Servers. GTSC discovered the vulnerabilities while investigating a security incident. The so-called zero-day vulnerabilities have been confirmed by Microsoft and are registered under the following CVE-numbers:
- CVE-2022-41040 – a Server-Side Request Forgery (SSRF) vulnerability
- CVE-2022-41082 – a remote code execution vulnerability
There are currently no patches available. It is advised to follow this blog for the latest development and to install patches as soon as they become available.
Microsoft states that Exchange Online is not vulnerable and no mitigating measures are needed. The following vulnerable on-premises Exchange versions require mitigating measures:
- Microsoft Exchange Server 2013
- Microsoft Exchange Server 2016
- Microsoft Exchange Server 2019
GTSC and Microsoft both describe a number of mitigating measures. It’s advised to use the instructions Microsoft has published in their blog.
Sources
More information:
- Initial write-up by GTSC – https://www.gteltsc.vn/blog/warning-new-attack-campaign-utilized-a-new-0day-rce-vulnerability-on-microsoft-exchange-server-12715.html (WayBackMachine)
- Zero Day Initiative (ZDI) Security Alert- https://success.trendmicro.com/dcx/s/solution/000291651?language=en_US
- Blog 1 by Microsoft – https://msrc-blog.microsoft.com/2022/09/29/customer-guidance-for-reported-zero-day-vulnerabilities-in-microsoft-exchange-server/
- Blog 2 by Microsoft – https://www.microsoft.com/security/blog/2022/09/30/analyzing-attacks-using-the-exchange-vulnerabilities-cve-2022-41040-and-cve-2022-41082/
- Exchange On-premises Mitigation Tool v2 – https://microsoft.github.io/CSS-Exchange/Security/EOMTv2/
- Techcommunity Microsoft – https://techcommunity.microsoft.com/t5/exchange-team-blog/released-november-2022-exchange-server-security-updates/ba-p/3669045
- Crowdstrike blog – https://www.crowdstrike.com/blog/owassrf-exploit-analysis-and-recommendations/
Subscribe
Do you want to be informed in time? Sign up for our technical updates
Would you like to receive these critical vulnerabilities by e-mail from now on? Enter your e-mail address below.
Tesorion uses your personal data to send out requested information and possibly for contact by telephone and for marketing and sales purposes. You can change your preferences whenever you want. Read our privacy policy for more information.