[German]Are Microsoft Exchange servers on the current patch level still vulnerable via the remote code execution vulnerability CVE-2022-23277? Some fragments of information have just come to my attention that at least raise questions. In any case, the disclosure of the details that led to the vulnerability is interesting. I'll try to summarize the information as best as I can.
Short review of CVE-2022-23277
CVE-2022-23277 is a remote code execution vulnerability rated as critical (score 8.8), which requires an attacker to be authenticated. However, only an authenticated role with low privileges (PR:L) is required on the Exchange Server. The attacker for this vulnerability could attack the server accounts for arbitrary or remote code execution. As an authenticated user, the attacker could attempt to trigger malicious code in the context of the server account via a network call. The vulnerability was found and reported by Markus Wulftange. Microsoft closed two vulnerabilities rated as critical, including the remote code execution vulnerability CVE-2022-23277 with a patch for Exchange Server 2013 – 2019 in March 2022.
Disclosure of the issue
Markus Wulftangepublished his findings in the post Bypassing .NET Serialization Binders as of June 28, 2022. He addresses in the post that serialization binders are often used under .NET framework to validate the types specified in the serialized data. The goal is to prevent the deserialization of dangerous types that can have malicious side effects with runtime serializers such as the BinaryFormatter.
In his blog post, Wulftange takes a look at cases where this check can fail and consequently allow validation to be bypassed. He also cites two real-world examples of insecure serialization binders in the DevExpress framework (CVE-2022-28684) and Microsoft Exchange (CVE-2022-23277) that he goes over. Both vulnerabilities allow remote code execution.
It is "dry programmer stuff" for .NET developers, I'm too many years out of this business to dig through the details. Markus Wulftange's conclusion: the insecure serializers BinaryFormatter, SoapFormatter and NetDataContractSerializer should be discontinued and legacy code should be migrated to the preferred alternatives.
Tinfanu-CUP and Exchange Hack
What immediately rang a bell for me was the tweet shown below. The statement: the PoC exploit code for vulnerability CVE-2022-23277, which was used in Tianfu contest to hack Microsoft Exchange Server (don't know if the contest was 2021 or 2022), still works with a slightly tweaked approach. In the screenshot you can see that MSExchangePowerShell was used – here to call Paint.
My first reading was, this is true, even for a fully patched Exchange Server that had the security updates installed in March 2022 to close the vulnerability. But the comment below say, that this can't be said. The Tinfanu PoC seems to work only on an unpatched Exchange. But my reading of the details of the vulnerability means, that Microsoft is using a lot of legacy code which uses the serialization binding. That bears the risk, that other code locations with serial bindings may not properly checked for malicious parameters – Microsoft just patched a specific code location.
What to do?
I can't say at this point, if my interpretation is true, whether this will have an immediate negative impact on Exchange and Sharepoint installations. But the feeling remains that there are some security-related bugs lurking in the .NET code when it comes to testing serialization bindings. It's only a matter of time before the next patch is due because this is being exploited.
So the question remains what administrators of Exchange servers can do, to mitigate possible attack vectors. Ad hoc, the usual advice comes to mind: Ensure that Exchange and OWA are not directly accessible via the Internet and, if necessary, that they are isolated via a reverse proxy.
In the concrete case there is another point. To exploit CVE-2022-23277, the attacker needs authenticated access to an Exchange account. Here you need to make sure that there are no orphaned accounts (employees who have left) and that the accounts cannot be hacked via weak passwords using brute force. If something is missing, you can add it in the comments.
Cookies helps to fund this blog: Cookie settings