Mitigating CVE-2022-41040 with Exchange On-premises Mitigation Tool v2
CVE-2022-41040 is a SSRF vulnerability that recently came out, which impacts On-Premises Exchange servers. CVE-2022-41040 can enable an authenticated attacker to remotely trigger this exploit. However, authenticated access to the vulnerable Exchange Server is necessary to successfully exploit this.
By the time of writing this blog post, Microsoft shared a temporary mitigation guidance that can be applied to harden Exchange servers. See: https://msrc-blog.microsoft.com/2022/09/29/customer-guidance-for-reported-zero-day-vulnerabilities-in-microsoft-exchange-server/
This is the current list of known affected versions of Exchange On-Premises:
The current Exchange Server mitigation is to add a blocking rule in “IIS Manager -> Default Web Site -> URL Rewrite -> Actions” to block the known attack patterns. Microsoft has shared a PowerShell script, which can be used to apply this mitigation. This can be found here: https://microsoft.github.io/CSS-Exchange/Security/EOMTv2/
Let’s say our Exchange server is vulnerable. If that’s the case, let’s apply the mitigation measures. Run this PowerShell script as an admin. This script needs to be ran on every Exchange server.
.\EOMTv2.ps1
It will create a log file in the C:\ drive, which looks like the following. As we can see in the output file. It says that we have to double check C:\inetpub\wwwroot\web.config to verify whether the configuration is present or not.
We can verify that the mitigation measures have been applied.
This can be verified as well in the IIS Manager where we can see two new rules being created.
Update 2022-10-05: Security Researcher discovered a bypass.
@honoki posted on Twitter that he was able to find a bypass https://twitter.com/honoki/status/1577644964628004867
Microsoft has updated the PowerShell script
Download the latest PowerShell script here: https://microsoft.github.io/CSS-Exchange/Security/EOMTv2/
Run the PowerShell script as an admin on your Exchange servers.
This is how the end result will look like now. It will update the existing two rules with {UrlDecode:{REQUEST_URI}} instead of {REQUEST_URI}.
Update: 2022-10-8
Microsoft made another update. Please download the updated version of the PowerShell script and re-run it on your Exchange servers: https://microsoft.github.io/CSS-Exchange/Security/EOMTv2/
This is the new rule that it has created:
This is how our two IIS Rewrite rules will look like:
References
- Microsoft Exchange Server Elevation of Privilege Vulnerability: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-41040
- Customer Guidance for Reported Zero-day Vulnerabilities in Microsoft Exchange Server: https://msrc-blog.microsoft.com/2022/09/29/customer-guidance-for-reported-zero-day-vulnerabilities-in-microsoft-exchange-server/
Microsoft 365 Security 