Alert Logic is researching two post-authentication zero-day vulnerabilities affecting Microsoft Exchange Server – CVE-2022-41040 and CVE-2022-41082. The first vulnerability is a Server-Side Request Forgery (SSRF), and the second allows remote code execution (RCE) when PowerShell is accessible to the attacker.
Who is affected?
All customers running on-premises versions of Microsoft Exchange Server 2013, 2016, and 2019 are affected. Customers running hybrid infrastructure may also be affected.
Since these vulnerabilities require authentication, widespread exploitation is not expected; however, Alert Logic recommends applying the patch as soon as it is released by Microsoft. Until a patch is available, it is recommended to apply the mitigation steps provided by Microsoft (linked below).
What can I do?
Microsoft has published steps to apply URL Rewrite Instructions and block exposed PowerShell ports. These instructions and additional vulnerability details are available in a blog post from the Microsoft Security Response Center.
This knowledge base article will be updated when a patch is announced from Microsoft. To be alerted when updates are made to this article, click FOLLOW at the top of this article.
How is Alert Logic helping me?
Alert Logic is actively researching this threat to build detection capabilities. Alert Logic appliances and infrastructure are not affected by this vulnerability.
Vulnerability Scanning: Alert Logic released scan coverage on October 4, 2022, by 23:00 CDT to identify this vulnerability. An authenticated scan performed after this release will check for the version of Microsoft Exchange Server and if the mitigation was applied. If a vulnerable version is found or the mitigation is missing, an exposure will be raised for CVE-2022-41040 and CVE-2022-41082.
Log Management: Alert Logic has deployed initial telemetry analytics to aid in detection research.
Alert Logic has kicked off the Emerging Threat process for this vulnerability. This article will be updated with new information about this vulnerability and related Alert Logic coverage as it becomes available. To follow updates for this vulnerability, click FOLLOW at the top of this article. You must be signed into the Support Center using your Alert Logic product credentials to follow this article.
09/30/2022: Log telemtry analytics have been deployed to aid in detection research.
10/05/2022: Authenticated scan coverage was released on October 4, 2022, by 23:00 CDT to identify this vulnerability.