CVE-2022-41082: Microsoft Exchange Server Remote Code Execution Vulnerability

Overview

Severity

High (CVSS 8)

CVSS Vector

CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C

Category

Remote Code Execution

Exploit Status

Actively Exploited

Exploitation Likelihood

Detected

Patch Tuesday

2022-Sep

Released

2022-09-30

Last Updated

2022-11-08

EPSS Score

91.48% (percentile: 99.7%)

CISA KEV

Listed — due 2022-10-21

FAQ

According to the CVSS metric, the attack vector is network (AV:N) and the user interaction is none (UI:N). What is the target used in the context of the remote code execution? The attacker for this vulnerability could target the server accounts in an arbitrary or remote code execution. As an authenticated user, the attacker could attempt to trigger malicious code in the context of the server's account through a network call. According to the CVSS metric, privileges required is low (PR:L). Does the attacker need to be in an authenticated role on the Exchange Server? Yes, the attacker must be authenticated. Where can I find more information about this CVE? Please see Customer Guidance for Reported Zero-day Vulnerabilities in Microsoft Exchange Server for more information

Known Exploits (9)

• Microsoft Exchange Server Remote Code Execution Vulnerability — added 2023-09-03T20:55:20Z
• Microsoft Exchange Server Remote Code Execution Vulnerability — added 2023-03-22T20:04:07Z
• Microsoft Exchange Server Remote Code Execution Vulnerability — added 2023-02-21T02:59:46Z
• Microsoft Exchange Server Remote Code Execution Vulnerability — added 2022-12-22T09:35:26Z
• Microsoft Exchange Server Remote Code Execution Vulnerability — added 2022-12-01T20:48:53Z
• Microsoft Exchange Server Remote Code Execution Vulnerability — added 2022-11-14T08:31:16Z
• Microsoft Exchange Server Remote Code Execution Vulnerability — added 2022-10-07T08:10:00Z
• Microsoft Exchange Server Remote Code Execution Vulnerability — added 2022-10-04T12:04:13Z
• Microsoft Exchange Server Remote Code Execution Vulnerability — added 2022-10-01T11:53:14Z

Detection & Weaponization (4 sources)

Maturity: Detection

• Metasploit modules: Microsoft Exchange ProxyNotShell RCE
• Sigma rules: Potential OWASSRF Exploitation Attempt - Proxy, OWASSRF Exploitation Attempt Using Public POC - Proxy, Potential OWASSRF Exploitation Attempt - Webserver, OWASSRF Exploitation Attempt Using Public POC - Webserver
• YARA rules: SIGNATURE_BASE_EXPL_LOG_Proxynotshell_OWASSRF_Powershell_Proxy_Log_Dec22_1, SIGNATURE_BASE_EXPL_LOG_Proxynotshell_OWASSRF_Powershell_Proxy_Log_Dec22_2, SIGNATURE_BASE_EXPL_LOG_Proxynotshell_OWASSRF_Powershell_Proxy_Log_Dec22_3, SIGNATURE_BASE_EXPL_LOG_Proxynotshell_Powershell_Proxy_Log_Dec22_1, SIGNATURE_BASE_LOG_Proxynotshell_POC_CVE_2022_41040_Nov22
• GitHub PoC: 9 repositories

Affected Products (5)

Server Software

• Microsoft Exchange Server 2013 Cumulative Update 23
• Microsoft Exchange Server 2016 Cumulative Update 22
• Microsoft Exchange Server 2019 Cumulative Update 11
• Microsoft Exchange Server 2019 Cumulative Update 12
• Microsoft Exchange Server 2016 Cumulative Update 23

Security Updates (5)

• 5019758
• 5019758
• 5019758
• 5019758
• 5019758

Acknowledgments

<a href="https://twitter.com/chudypb">Piotr Bazydlo (@chudypb)</a> working with <a href="https://www.zerodayinitiative.com/">Trend Micro Zero Day Initiative</a>, DA-0x43-Dx4-DA-Hx2-Tx2-TP-S-Q from GTSC working with <a href="https://www.zerodayinitiative.com/">Trend Micro Zero Day Initiative</a>

Revision History

• 2022-09-30: Information published.
• 2022-10-03: Updated FAQ information. This is an informational change only.
• 2022-11-08: On November, 8 2022, Microsoft released updates to address this vulnerability. Customers who are running an affected version of Microsoft Exchange Server should install the updates to be protected.