Once again, two severe vulnerabilities hit Microsoft’s Exchange Server: With a severity of 8.8 and 6.3 in the Common Vulnerability Score System, the previously unpatched vulnerabilities (CVE-2022-41040 and CVE-2022-41082), are a threat to all servers that rely on the Microsoft mail system.
Since they are now also being actively exploited by attackers, affected administrators should make sure to implement the workaround from Microsofts Blog immediately until the manufacturer has corrected the problem. The vulnerabilities were already discovered at the end of September by the security company GTSC, a patch by Microsoft is still pending.
Affected: Exchange 2013, 2016 and 2019
All on-premise installations of Microsoft Exchange Server versions 2013, 2016 and 2019 are affected, including fully patched and well-maintained servers. Customers and products of grommunio are not affected by this vulnerability.
According to the vendor’s admission, the flaw (here is the constantly updated BSI report) allows “remote code execution for authenticated accounts”, i.e. the execution of arbitrary code via user accounts. The recommended workaround strongly advises all on-premise customers of Microsoft to disable remote access to the Powershell (the command line of the Windows system) for non-privileged users. This is currently the only way to prevent attackers from abusing these accounts and causing serious damage to the server or local network.
Initial measures by Microsoft are insufficient
Security experts continue to investigate the problem and share their findings mainly on Twitter. The associated hashtag is #proxynotshell, in reference to other security incidents in Exchange from 2021. The advice that the BSI and Microsoft adopted to “lock out” all non-privileged users from Powershell also came via Twitter, after the mitigation initially proposed by Microsoft verifiably did not lead to success.
Test grommunio on your own server for free.
Update
12. October: Contrary to expectations, Microsoft did not provide a patch for the vulnerability on its latest patchday (on October 11). After the problematic workarounds and after hackers are already actively exploiting the vulnerabilities, Microsoft is now facing more severe security holes in Windows, Hyper-V and Office. The blog post of Microsoft’s Security Response Center is continuously updated by the US company, the last entry is from October 9.