CyberInsights
The blog about your IT security

On Premise Microsoft Exchange Zero-Day

Affected products

On-Premises Microsoft Exchange Server 2013/16/19

Criticality of the vulnerability(ies)

CVSS Score: 8.8 as well as 6.3

Impact

Server-Side Request Forgery (SSRF) and Remote Code Execution (RCE)

Description

The zero-day vulnerability was first reported by the Vietnamese cybersecurity group GTSC.  It seems like they are only present in on-premises versions, i.e. only in locally hosted solutions of Microsoft Exchange servers. Exchange Online users would therefore not have to take any measures.


According to Microsoft, this is a server-side request forgery vulnerability, as well as a remote code execution vulnerability. In order for attackers to exploit the RCE vulnerability (CVE-2022-41082), they must first successfully exploit the SSRF vulnerability (CVE-2022-41040), which in turn can only be exploited by authenticated users.

In the case of an SSRF vulnerability, attackers abuse the functionality of the server and can both access and manipulate the information that resides on the server.

An RCE vulnerability allows attackers to remotely execute code and scripts on the victim’s server, potentially manipulating any IT infrastructure.

CVEs

CVE-2022-41040
CVE-2022-41082

Mitigation or measure for avoidance respectively possible recommendations for action

[Update]

With the November patch, Microsoft also delivered a solution for the two vulnerabilities. Since 8.11.22, the official patch is now available for installation.

We recommend you to install this update as soon as possible!
The previous workaround is rendered obsolete by the Microsoft patch update.

References and links

[1] Security Advisory: https://thehackernews.com/2022/09/warning-new-unpatched-microsoft.html
[2] Security Advisory: https://www.bleepingcomputer.com/news/microsoft/microsoft-confirms-new-exchange-zero-days-are-used-in-attacks/
[3] Security Advisory: https://www.heise.de/news/Exchange-Server-Zero-Day-Bisheriger-Workaround-unzureichend-7283072.html
[4] Security Advisory: https://www.bleepingcomputer.com/news/security/microsoft-exchange-server-zero-day-mitigation-can-be-bypassed/
[5] Security Advisory: https://msrc-blog.microsoft.com/2022/09/29/customer-guidance-for-reported-zero-day-vulnerabilities-in-microsoft-exchange-server/
[6] Security Advisory: https://www.heise.de/news/Exchange-Zero-Day-Luecke-Nochmals-nachgebesserter-Workaround-7304522.html

Follow us on

Subscribe to our newsletter on the topic of cyber security

With our Cyberletter you are always up to date - about vulnerability reports, current IT threat scenarios and other relevant news from the field of cyber security and data security.

By registering, I accept the handling of my personal data (§13 DSGVO) and agree to the privacy policy.