ProxyNotShell Vulnerability

This live blog contains information regarding the ProxyNotShell vulnerability. As soon as we have an update, we’ll add it to this post. More information about possible risks and details can be found at the bottom of this blog. Last updated on December 27, 2022.

Update December 27, 2022

14:00 | On the 20th of December 2022, security company CrowdStrike has published a blog regarding the ProxyNotShell vulnerability. Microsoft released security updates in November 2022. Before the release of the security updates, several URL rewrite rules were advised as a workaround. CrowdStrike now describes an observation of a bypass of the latest version of the URL rewrite rule mitigations, allowing an adversary to exploit CVE-2022-41080 and CVE-2022-41082.

Microsoft has released security updates for CVE-2022-41040, CVE-2022-41080 and CVE-2022-41082. As the existing workarounds are known to be bypassed, it is strongly recommended to apply the security updates as soon as possible. The security updates are available for:

• Microsoft Exchange Server 2013
• Microsoft Exchange Server 2016
• Microsoft Exchange Server 2019

After applying the security updates, the mitigations can be removed.

For more information, please read:

• Crowdstrike blog – https://www.crowdstrike.com/blog/owassrf-exploit-analysis-and-recommendations/
• Microsoft security blog – https://msrc-blog.microsoft.com/2022/09/29/customer-guidance-for-reported-zero-day-vulnerabilities-in-microsoft-exchange-server/
• Microsoft Exchange SSU 11-2022 – https://techcommunity.microsoft.com/t5/exchange-team-blog/released-november-2022-exchange-server-security-updates/ba-p/3669045

Update November 10, 2022

15:30 | On the 8th of November 2022, Microsoft has released security updates for CVE-2022-41040 and CVE-2022-41082, also known as ProxyNotShell. It is strongly recommended to apply the security updates, even if you have applied the mitigation workaround published in our initial post. The security updates are available for:

• Microsoft Exchange Server 2013
• Microsoft Exchange Server 2016
• Microsoft Exchange Server 2019

The mitigations can be removed, but only after applying the security updates.

For more information, please read:

• https://msrc-blog.microsoft.com/2022/09/29/customer-guidance-for-reported-zero-day-vulnerabilities-in-microsoft-exchange-server/
• https://techcommunity.microsoft.com/t5/exchange-team-blog/released-november-2022-exchange-server-security-updates/ba-p/3669045

Update October 10, 2022

14:00 | Since our last update Friday, Microsoft has published several updates on their initial blog regarding ProxyNotShell. The blog of Microsoft, including all updates, can be found here: https://msrc-blog.microsoft.com/2022/09/29/customer-guidance-for-reported-zero-day-vulnerabilities-in-microsoft-exchange-server/

Again, Microsoft has made important changes to the mitigation steps related to CVE-2022-41040. The pattern used for the URL rewrite rule has been improved, as bypasses were published for the initial pattern.

It is advised to review the updated blog of Microsoft and apply the updated mitigations.

Update October 5, 2022

12:00 | Microsoft has published an update on their initial blog regarding ProxyNotShell, which can be found here: https://msrc-blog.microsoft.com/2022/09/29/customer-guidance-for-reported-zero-day-vulnerabilities-in-microsoft-exchange-server/

Microsoft has made important changes to the mitigation steps related to CVE-2022-41040. The pattern used for the URL rewrite rule has been improved, as bypasses were published for the initial pattern.

It is advised to review the updated blog of Microsoft and apply the updated mitigations.

Update October 3, 2022

14:00 | We updated our blog about ProxyNotShell. Microsoft has published a second blog, providing more information. The blog can be found here.

The ProxyNotShell vulnerability is similar to ProxyShell, but ProxyNotShell requires authentication. ProxyNotShell consists of the following two registered vulnerabilities (CVE-numbers):

• CVE-2022-41040 – a Server-Side Request Forgery (SSRF) vulnerability
• CVE-2022-41082 – a remote code execution vulnerability

CVE-2022-41040 enables the execution of CVE-2022-41082, leading to an authenticated remote code execution. For both vulnerabilities authentication is required. However, the authentication required for exploitation can be that of a standard user. User credentials can be acquired via different attacks, such as password spray, phishing or purchased via the cybercriminal economy.

Microsoft Exchange Online is not vulnerable and no mitigating measures are needed. The following versions of on-premises Microsoft Exchange Server are vulnerable and require mitigative measures:

• Microsoft Exchange Server 2013
• Microsoft Exchange Server 2016
• Microsoft Exchange Server 2019

Mitigation

As there is no patch available yet, it is recommended to apply the URL Rewrite instructions. This will mitigate the SSRF vulnerability CVE-2022-41040, as described in the first blog by Microsoft.

Microsoft has released a script to apply these mitigations, available at: https://microsoft.github.io/CSS-Exchange/Security/EOMTv2/

Additionally, to mitigate CVE-2022-41082, it is strongly recommended for on-premise Microsoft Exchange Server customers, to disable remote PowerShell access for non-admin users in your organization. Guidance on how to do this for single user or multiple users is available here.

Update September 30, 2022

14:00 | On 28 September 2022, Vietnamese IT security company GTSC published a blog in which they described two zero-day vulnerabilities in on-premises Microsoft Exchange Servers. The vulnerabilities are called ProxyNotShell, due to great similarities with the ProxyShell vulnerabilities from august 2021.

There is currently limited information available with regards to the vulnerabilities, impact and mitigating measures. This blog will be updated as more information becomes available.