CVE-2022-41040: Microsoft Exchange Server Elevation of Privilege Vulnerability

Overview

Severity

High (CVSS 8.8)

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C

Category

Elevation of Privilege

Exploit Status

Actively Exploited

Exploitation Likelihood

Detected

Patch Tuesday

2022-Sep

Released

2022-09-30

Last Updated

2022-11-08

EPSS Score

94.15% (percentile: 99.9%)

CISA KEV

Listed — due 2022-10-21

FAQ

According to the CVSS metric, privileges required is low (PR:L). Does the attacker need to be in an authenticated role on the Exchange Server? Yes, the attacker must be authenticated. Do I need to take further steps to be protected from this vulnerability? Microsoft Exchange Online customers do not need to take any action. Exchange Server customers should review and apply the mitigation instructions described in Customer Guidance for Reported Zero-day Vulnerabilities in Microsoft Exchange Server. What privileges can an attacker gain by exploiting this vulnerability? The privileges acquired by the attacker would be the ability to run PowerShell in the context of the system. Where can I find more information about this CVE? Please see Customer Guidance for Reported Zero-day Vulnerabilities in Microsoft Exchange Server for more information

Detection & Weaponization (3 sources)

Maturity: Detection

• Metasploit modules: Microsoft Exchange ProxyNotShell RCE
• YARA rules: expl_cve_2022_41040_proxynoshell.yar, vuln_proxynotshell_cve_2022_41040.yar, SIGNATURE_BASE_EXPL_LOG_Proxynotshell_OWASSRF_Powershell_Proxy_Log_Dec22_1, SIGNATURE_BASE_EXPL_LOG_Proxynotshell_OWASSRF_Powershell_Proxy_Log_Dec22_2, SIGNATURE_BASE_EXPL_LOG_Proxynotshell_OWASSRF_Powershell_Proxy_Log_Dec22_3, SIGNATURE_BASE_EXPL_LOG_Proxynotshell_Powershell_Proxy_Log_Dec22_1, SIGNATURE_BASE_LOG_Proxynotshell_POC_CVE_2022_41040_Nov22, SIGNATURE_BASE_EXPL_Exchange_Proxynotshell_Patterns_CVE_2022_41040_Oct22_1
• GitHub PoC: 9 repositories

Affected Products (5)

Server Software

• Microsoft Exchange Server 2013 Cumulative Update 23
• Microsoft Exchange Server 2016 Cumulative Update 22
• Microsoft Exchange Server 2019 Cumulative Update 11
• Microsoft Exchange Server 2019 Cumulative Update 12
• Microsoft Exchange Server 2016 Cumulative Update 23

Security Updates (5)

• 5019758
• 5019758
• 5019758
• 5019758
• 5019758

Acknowledgments

DA-0x43-Dx4-DA-Hx2-Tx2-TP-S-Q from GTSC working with <a href="https://www.zerodayinitiative.com/">Trend Micro Zero Day Initiative</a>

Revision History

• 2022-09-30: Information published.
• 2022-10-03: Updated FAQ information. This is an informational change only.
• 2022-10-05: In the FAQ, updated the Condition Input to {UrlDecode:}. This is an informational change only.
• 2022-10-07: In the FAQ, updated the information about steps to take to be protected from the vulnerability to refer to Customer Guidance for Reported Zero-day Vulnerabilities in Microsoft Exchange Server for mitigation instructions. This is an informational change only.
• 2022-11-08: On November, 8 2022, Microsoft released updates to address this vulnerability. Customers who are running an affected version of Microsoft Exchange Server should install the updates to be protected.