Overview
Recently, NSFOCUS CERT found that security teams overseas publicly disclosed the technical details of the exploit chain for Exchange Server vulnerabilities. An authenticated remote attacker exploits an Exchange Server privilege escalation vulnerability (CVE-2022-41080) to gain permission to execute PowerShell in the context of the system on an endpoint Outlook Web Application (OWA). An attacker with PowerShell privileges can then execute arbitrary code on the target system through the Exchange Server Remote Code Execution Vulnerability (CVE-2022-41082). The above exploit chain can bypass the mitigation measures officially provided by Microsoft for “ProxyNotShell”. Affected users are requested to take protective measures as soon as possible.
Reference link:
https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2022-41080
https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2022-41082
Scope of Impact
Affected version
- Microsoft Exchange Server 2013 Cumulative Update 23
- Microsoft Exchange Server 2016 Cumulative Update 22
- Microsoft Exchange Server 2016 Cumulative Update 23
- Microsoft Exchange Server 2019 Cumulative Update 11
- Microsoft Exchange Server 2019 Cumulative Update 12
Attack Investigation
1. Visit the link to download the script:
https://github.com/CrowdStrike/OWASSRF/blob/main/Rps_Http-IOC.ps1
2. Run the script (note that if you download directly, there may be a problem with the & symbol, which makes it impossible to run. It is recommended to directly copy the following code and write it into a new ps1 file)
powershell C:\Users\admin\Desktop\Rps_Http-IOC.ps1
The default path where the log is located at is:
C:\Program Files\Microsoft\Exchange Server\V15\Logging\CmdletInfra\Powershell-Proxy\Http
3. The running result is shown in the figure below:
You can clearly see the mailbox being attacked, the source, the attack process, and the number of successes.
Vulnerability Detection
NSFOCUS Remote Security Assessment System (RSAS), Web Application Vulnerability Scanning System (WVSS), Network Intrusion Detection System (IDS), and Integrated Threat Probe (UTS) have the ability to scan and detect this vulnerability, users who have deployed the above devices are requested to upgrade to the latest version.
Mitigation
At present, Microsoft has officially released a security patch to fix this vulnerability for supported product versions. It is recommended that affected users enable automatic system updates and install patches for protection. If the update patch is not successfully installed, you can directly download the offline installation package for update.
In response to the vulnerabilities mentioned above, NSFOCUS has released rule upgrade packages for its Network Intrusion Prevention System (IPS), Web Application Firewall (WAF) and Next-Generation Firewall (NF). Relevant users are requested to upgrade the rule packages to the latest version to form security product protection ability. The version numbers of security protection product rules are as follows:
| Product | Version No. | Link | Rule No. |
| IPS | 5.6.11.28923 | http://update.nsfocus.com/update/downloads/id/135638 | [25803] |
| 5.6.10.28923 | http://update.nsfocus.com/update/downloads/id/135637 | [25802] | |
| WAF | 6.0.7.3.58018 | http://update.nsfocus.com/update/downloads/id/135588 | 27005147 |
| 6.0.7.0.58018 | http://update.nsfocus.com/update/downloads/id/135589 | ||
| NF | 6.0.1.890 | http://update.nsfocus.com/update/downloads/id/135633 | 25807 |
| 6.0.2.890 | http://update.nsfocus.com/update/downloads/id/135634 |
Temporary Mitigation
1. If the patch cannot be applied temporarily, it is recommended to disable OWA to alleviate this vulnerability
2. Prohibit non-admin users from using remote PowerShell access
Microsoft officially strongly recommends that Exchange Server users disable remote PowerShell access for non-admin users in their organization:
- Use the Exchange Management Shell to disable remote PowerShell access for individual users
Set-User “<username>” -RemotePowerShellEnabled $false
Example: To disable remote PowerShell access for the username “Therese Lindqvist”:
Set-User “Therese Lindqvist” -RemotePowerShellEnabled $false
- Use the Exchange Management Shell to disable remote PowerShell access for multiple users
(1) Disable for multiple users based on existing attributes
Step 1
$<VariableName> = <Get-Mailbox | Get-User> -ResultSize unlimited -Filter <Filter>
Step 2
$<VariableName> | foreach {Set-User -RemotePowerShellEnabled $false}
Example: To remove remote PowerShell access for all users whose Title attribute contains the value “Sales Associate”:
Step 1
$DSA = Get-User -ResultSize unlimited -Filter “(RecipientType -eq ‘UserMailbox’) -and (Title -like ‘*Sales Associate*’)”
Step 2
$DSA | foreach {Set-User -RemotePowerShellEnabled $false}
(1). Disable according to the specific user list:
Step 1
$<VariableName> = Get-Content <text file>
Step 2
$<VariableName> | foreach {Set-User -RemotePowerShellEnabled $false
Example: To remove access to remote PowerShell for all users located in C:\My Documents\NoPowerShell.txt:
Step 1
$NPS = Get-Content “C:\My Documents\NoPowerShell.txt”
Step 2
$NPS | foreach {Set-User -RemotePowerShellEnabled $false}
For the above operations of disabling remote PowerShell access for users, please refer to the following link for details:
3. Make sure the X-Forwarded-For HTTP request header records the real external IP address
Statement
This advisory is only used to describe a potential risk. NSFOCUS does not provide any commitment or promise on this advisory. NSFOCUS and the author will not bear any liability for any direct and/or indirect consequences and losses caused by transmitting and/or using this advisory. NSFOCUS reserves all the rights to modify and interpret this advisory. Please include this statement paragraph when reproducing or transferring this advisory. Do not modify this advisory, add/delete any information to/from it, or use this advisory for commercial purposes without permission from NSFOCUS.
About NSFOCUS
NSFOCUS, Inc., a global network and cyber security leader, protects enterprises and carriers from advanced cyber attacks. The company’s Intelligent Hybrid Security strategy utilizes both cloud and on-premises security platforms, built on a foundation of real-time global threat intelligence, to provide multi-layered, unified and dynamic protection against advanced cyber attacks.
NSFOCUS works with Fortune Global 500 companies, including four of the world’s five largest financial institutions, organizations in insurance, retail, healthcare, critical infrastructure industries as well as government agencies. NSFOCUS has technology and channel partners in more than 60 countries, is a member of both the Microsoft Active Protections Program (MAPP), and the Cloud Security Alliance (CSA).
A wholly owned subsidiary of NSFOCUS Technologies Group Co., Ltd., the company has operations in the Americas, Europe, the Middle East and Asia Pacific.
