Affected products
On-Premises Microsoft Exchange Server 2013/16/19
Criticality of the vulnerability(ies)
CVSS Score: 8.8 as well as 6.3
Impact
Server-Side Request Forgery (SSRF) and Remote Code Execution (RCE)
Description
The zero-day vulnerability was first reported by the Vietnamese cybersecurity group GTSC. It seems like they are only present in on-premises versions, i.e. only in locally hosted solutions of Microsoft Exchange servers. Exchange Online users would therefore not have to take any measures.
According to Microsoft, this is a server-side request forgery vulnerability, as well as a remote code execution vulnerability. In order for attackers to exploit the RCE vulnerability (CVE-2022-41082), they must first successfully exploit the SSRF vulnerability (CVE-2022-41040), which in turn can only be exploited by authenticated users.
In the case of an SSRF vulnerability, attackers abuse the functionality of the server and can both access and manipulate the information that resides on the server.
An RCE vulnerability allows attackers to remotely execute code and scripts on the victim’s server, potentially manipulating any IT infrastructure.
CVEs
CVE-2022-41040
CVE-2022-41082
Mitigation or measure for avoidance respectively possible recommendations for action
[Update]
With the November patch, Microsoft also delivered a solution for the two vulnerabilities. Since 8.11.22, the official patch is now available for installation.
We recommend you to install this update as soon as possible!
The previous workaround is rendered obsolete by the Microsoft patch update.
References and links
[1] Security Advisory: https://thehackernews.com/2022/09/warning-new-unpatched-microsoft.html
[2] Security Advisory: https://www.bleepingcomputer.com/news/microsoft/microsoft-confirms-new-exchange-zero-days-are-used-in-attacks/
[3] Security Advisory: https://www.heise.de/news/Exchange-Server-Zero-Day-Bisheriger-Workaround-unzureichend-7283072.html
[4] Security Advisory: https://www.bleepingcomputer.com/news/security/microsoft-exchange-server-zero-day-mitigation-can-be-bypassed/
[5] Security Advisory: https://msrc-blog.microsoft.com/2022/09/29/customer-guidance-for-reported-zero-day-vulnerabilities-in-microsoft-exchange-server/
[6] Security Advisory: https://www.heise.de/news/Exchange-Zero-Day-Luecke-Nochmals-nachgebesserter-Workaround-7304522.html