Microsoft Exchange RCE CVE-2022-41040 and CVE-2022-41082
Response to CVE-2022-41040 and CVE-2022-41082: Unpatched Zero-Day Vulnerabilities in Microsoft Exchange Server
Daisy are responding to two zero-day vulnerabilities in on-premise Microsoft Exchange Servers. Exchange online is not affected.
Microsoft has confirmed two zero-day vulnerabilities in Microsoft Exchange Server. CVE-2022-41040 and CVE-2022-41082 are unpatched and being used in “limited, targeted attacks”:
• CVE-2022-41040 is a server-side request forgery (SSRF) vulnerability.
• CVE-2022-41082 allows for remote code execution if PowerShell is accessible to the attacker, and that attacker is an authenticated user, which does reduce the risk of malicious exploitation.
Microsoft continue to assess and update their guidance and published an IIS block rule to mitigate the risk of attacks. Current guidance is to block remote PowerShell ports on an emergency basis on affected Exchange systems. Note that these are mitigations, not full remediations. Daisy are deploying these mitigations for our managed customers, and will deploy Microsoft patches on an emergency basis once they are released.
Daisy have been made aware of two high-severity vulnerabilities affecting Microsoft Exchange 2013/2016/2019, that are reportedly under active exploitation. Exchange online is not affected.
The vulnerabilities, tracked as CVE-2022-41040 and CVE-2022-41082, are related to server-side request forgery (SSRF) and remote code execution (RCE). It is important to note that the potential of remote code execution is possible only when PowerShell is accessible to the attacker, and that attacker is an authenticated user, which does reduce the risk of these vulnerabilities being maliciously exploited.
Microsoft released patches for these vulnerabilities (and several others affecting Exchange) in November’s Patch Tuesday (8/11/22). Daisy are reviewing these patches at present.
These vulnerabilities have a CVSS rating of 8.8 and 6.9 (out of 10) respectively. The UK’s National Cyber Security Centre guidance indications organisations should remediate 8.8 to 9.7 severity vulnerabilities within 14 days.
Further updates will be provided as available.
If you have any concerns or would like assistance relating to this information, please contact Daisy via our Service Desk team on 0330 024 3333 or our Customer Portal.