{"id":26807,"date":"2022-10-04T11:03:22","date_gmt":"2022-10-04T09:03:22","guid":{"rendered":"http:\/\/159.69.82.204\/win\/?p=26807"},"modified":"2022-10-04T11:03:22","modified_gmt":"2022-10-04T09:03:22","slug":"exchange-server-microsofts-0-day-schutz-aushebelbar-neue-einschtzungen-3-oktober-2022","status":"publish","type":"post","link":"https:\/\/borncity.com\/win\/2022\/10\/04\/exchange-server-microsofts-0-day-schutz-aushebelbar-neue-einschtzungen-3-oktober-2022\/","title":{"rendered":"Microsoft's 0-day protection bypassed, new assessments (Oct. 3, 2022)"},"content":{"rendered":"

\"Exchange[German<\/a>]A 0-day vulnerability (ZDI-CAN-18333) in Microsoft's on-premises Exchange Servers (2013, 2016, and 2019) has been known since late September 2022. The vulnerabilities (CVE-2022-41040, CVE-2022-41082) are already being exploited in the wild. Microsoft did respond and published a workaround as well as rolled out URI rewrite rules via EMS for protection. But the URI rewrite expressions can be bypassed. In addition, the first (so far fake) exploits are being offered on the Internet. Here is an overview of the latest developments.<\/p>\n

The 0-day vulnerability ZDI-CAN-18333<\/h2>\n

\"\"As of Sept. 29, 2022, I had reported on the 0-day vulnerability ZDI-CAN-18333 in the blog post Exchange Server servers attacked via 0-day exploit (Sept. 29, 2022)<\/a>. Microsoft Exchange Server 2013, 2016 and 2019 are at risk from two unpatched zero-day vulnerabilities CVE-2022-41040 (Server-Side Request Forgery) and CVE-2022-41082 (Remote Code Execution via PowerShell).<\/p>\n

\n

The term ProxyNotShell<\/em> is now used for the vulnerability because the vulnerabilities require a similar attack scenario to ProxyShell, but it is not the ProxyShell vulnerability. <\/p>\n<\/blockquote>\n

Fortunately, an attacker needs authenticated access to the vulnerable Exchange Server to successfully exploit either vulnerability. In addition, he must be able to execute PowerShell scripts (remotely), but then has the option of elevating privileges. On-premises installations that are not accessible via the Internet should be protected against remote attacks. However, many Exchange installations are directly accessible via the Internet (see Microsoft's recommendations for Exchange Server 0-day vulnerability ZDI-CAN-18333<\/a>).<\/p>\n

\"Sophos<\/a><\/p>\n

My gut feeling, however, is that the people behind the exploit (presumably based in China) have enough credentials from phishing attacks to attack numerous Exchange servers. The night I came across the above tweet from Sophos supporting this assessment. Sophos picked up on it here<\/a> (see also above tweets)and writes that customers are protected with Sophos security solutions. <\/p>\n

\n

In the meantime, the first (but so far probably fake) exploits for the above vulnerabilities are being offered for sale on the Internet by fraudsters. The colleagues from Bleeping Computer have pointed out the situation in this article<\/a>.<\/p>\n<\/blockquote>\n

Microsoft's workaround can be bypassed<\/h2>\n

Last night I came across the following tweet<\/a> from Kevin Beaumont on Twitter. A security researcher with the alias Jangggg<\/em> looked at the URL pattern described by Microsoft in the blog post Customer Guidance for Reported Zero-day Vulnerabilities in Microsoft Exchange Server<\/a>. His conclusion: the URI blocking rule is not sufficient, and can be easily bypassed. Beaumont verified it and confirms this.  <\/p>\n

\"Exchange<\/a><\/p>\n

Microsoft has added the following guidance to the articles Customer Guidance for Reported Zero-day Vulnerabilities in Microsoft Exchange Server<\/a> as of October 2, 2022:<\/p>\n