Exchange Server OWASSRF Vulnerability (CVE-2022-41080/CVE-2022-41082) Alert

Exchange Server OWASSRF Vulnerability (CVE-2022-41080/CVE-2022-41082) Alert

January 1, 2023 | NSFOCUS

Overview

Recently, NSFOCUS CERT found that security teams overseas publicly disclosed the technical details of the exploit chain for Exchange Server vulnerabilities. An authenticated remote attacker exploits an Exchange Server privilege escalation vulnerability (CVE-2022-41080) to gain permission to execute PowerShell in the context of the system on an endpoint Outlook Web Application (OWA). An attacker with PowerShell privileges can then execute arbitrary code on the target system through the Exchange Server Remote Code Execution Vulnerability (CVE-2022-41082). The above exploit chain can bypass the mitigation measures officially provided by Microsoft for “ProxyNotShell”. Affected users are requested to take protective measures as soon as possible.

Reference link:

https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2022-41080

https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2022-41082

Scope of Impact

Affected version

  • Microsoft Exchange Server 2013 Cumulative Update 23
  • Microsoft Exchange Server 2016 Cumulative Update 22
  • Microsoft Exchange Server 2016 Cumulative Update 23
  • Microsoft Exchange Server 2019 Cumulative Update 11
  • Microsoft Exchange Server 2019 Cumulative Update 12

Attack Investigation

1. Visit the link to download the script:

https://github.com/CrowdStrike/OWASSRF/blob/main/Rps_Http-IOC.ps1

2. Run the script (note that if you download directly, there may be a problem with the & symbol, which makes it impossible to run. It is recommended to directly copy the following code and write it into a new ps1 file)

powershell C:\Users\admin\Desktop\Rps_Http-IOC.ps1

The default path where the log is located at is:

C:\Program Files\Microsoft\Exchange Server\V15\Logging\CmdletInfra\Powershell-Proxy\Http

3. The running result is shown in the figure below:

You can clearly see the mailbox being attacked, the source, the attack process, and the number of successes.

Vulnerability Detection

NSFOCUS Remote Security Assessment System (RSAS), Web Application Vulnerability Scanning System (WVSS), Network Intrusion Detection System (IDS), and Integrated Threat Probe (UTS) have the ability to scan and detect this vulnerability, users who have deployed the above devices are requested to upgrade to the latest version.

 Version No.Link
RSAS V6 System plug-in packageV6.0R02F01.2906http://update.nsfocus.com/update/listRsasDetail/v/vulsys
RSAS V6 Web plug-in packageV6.0R02F00.2804http://update.nsfocus.com/update/listRsasDetail/v/vulweb
WVSS V6 Plug-in upgrade packageV6.0R03F00.265http://update.nsfocus.com/update/listWvssDetail/v/6/t/plg
IDS5.6.11.28923http://update.nsfocus.com/update/downloads/id/135638
IDS5.6.10.28923http://update.nsfocus.com/update/downloads/id/135637
UTS5.6.10.28923http://update.nsfocus.com/update/downloads/id/135667

Mitigation

At present, Microsoft has officially released a security patch to fix this vulnerability for supported product versions. It is recommended that affected users enable automatic system updates and install patches for protection. If the update patch is not successfully installed, you can directly download the offline installation package for update.

In response to the vulnerabilities mentioned above, NSFOCUS has released rule upgrade packages for its Network Intrusion Prevention System (IPS), Web Application Firewall (WAF) and Next-Generation Firewall (NF). Relevant users are requested to upgrade the rule packages to the latest version to form security product protection ability. The version numbers of security protection product rules are as follows:

ProductVersion No.LinkRule No.
IPS5.6.11.28923http://update.nsfocus.com/update/downloads/id/135638[25803]
5.6.10.28923http://update.nsfocus.com/update/downloads/id/135637[25802]
WAF6.0.7.3.58018http://update.nsfocus.com/update/downloads/id/13558827005147
6.0.7.0.58018http://update.nsfocus.com/update/downloads/id/135589
NF6.0.1.890http://update.nsfocus.com/update/downloads/id/13563325807
6.0.2.890http://update.nsfocus.com/update/downloads/id/135634

Temporary Mitigation

1. If the patch cannot be applied temporarily, it is recommended to disable OWA to alleviate this vulnerability

2. Prohibit non-admin users from using remote PowerShell access

Microsoft officially strongly recommends that Exchange Server users disable remote PowerShell access for non-admin users in their organization:

  • Use the Exchange Management Shell to disable remote PowerShell access for individual users

Set-User “<username>” -RemotePowerShellEnabled $false

Example: To disable remote PowerShell access for the username “Therese Lindqvist”:

Set-User “Therese Lindqvist” -RemotePowerShellEnabled $false

  • Use the Exchange Management Shell to disable remote PowerShell access for multiple users

(1) Disable for multiple users based on existing attributes

Step 1

$<VariableName> = <Get-Mailbox | Get-User> -ResultSize unlimited -Filter <Filter>

Step 2

$<VariableName> | foreach {Set-User -RemotePowerShellEnabled $false}

Example: To remove remote PowerShell access for all users whose Title attribute contains the value “Sales Associate”:

Step 1

$DSA = Get-User -ResultSize unlimited -Filter “(RecipientType -eq ‘UserMailbox’) -and (Title -like ‘*Sales Associate*’)”

Step 2

$DSA | foreach {Set-User -RemotePowerShellEnabled $false}

(1). Disable according to the specific user list:

Step 1

$<VariableName> = Get-Content <text file>

Step 2

$<VariableName> | foreach {Set-User -RemotePowerShellEnabled $false

Example: To remove access to remote PowerShell for all users located in C:\My Documents\NoPowerShell.txt:

Step 1

$NPS = Get-Content “C:\My Documents\NoPowerShell.txt”

Step 2

$NPS | foreach {Set-User -RemotePowerShellEnabled $false}

For the above operations of disabling remote PowerShell access for users, please refer to the following link for details:

https://learn.microsoft.com/en-us/powershell/exchange/control-remote-powershell-access-to-exchange-servers?view=exchange-ps&viewFallbackFrom=exchange-ps%22%20%5Cl%20%22use-the-exchange-management-shell-to-enable-or-disable-remote-powershell-access-for-a-user

3. Make sure the X-Forwarded-For HTTP request header records the real external IP address

Statement

This advisory is only used to describe a potential risk. NSFOCUS does not provide any commitment or promise on this advisory. NSFOCUS and the author will not bear any liability for any direct and/or indirect consequences and losses caused by transmitting and/or using this advisory. NSFOCUS reserves all the rights to modify and interpret this advisory. Please include this statement paragraph when reproducing or transferring this advisory. Do not modify this advisory, add/delete any information to/from it, or use this advisory for commercial purposes without permission from NSFOCUS.

About NSFOCUS

NSFOCUS, Inc., a global network and cyber security leader, protects enterprises and carriers from advanced cyber attacks. The company’s Intelligent Hybrid Security strategy utilizes both cloud and on-premises security platforms, built on a foundation of real-time global threat intelligence, to provide multi-layered, unified and dynamic protection against advanced cyber attacks.

NSFOCUS works with Fortune Global 500 companies, including four of the world’s five largest financial institutions, organizations in insurance, retail, healthcare, critical infrastructure industries as well as government agencies. NSFOCUS has technology and channel partners in more than 60 countries, is a member of both the Microsoft Active Protections Program (MAPP), and the Cloud Security Alliance (CSA).

A wholly owned subsidiary of NSFOCUS Technologies Group Co., Ltd., the company has operations in the Americas, Europe, the Middle East and Asia Pacific.