Discovery of Zero-Day ProxyNotShell vulnerabilities puts exchange servers back into high risk, pending Microsoft fix. Stormshield Customer Security Lab provides an update on the threat. Last update on 10/04/22.
The context of ProxyNotShell vulnerabilities
During an incident response analysis, a SOC/CERT team discovered that the information system had been attacked through vulnerabilities on a Microsoft Exchange server. Still unknown by Microsoft and therefore not patched, they are several critical Zero-days vulnerabilities: one SSRF (Server Side Request Forgery) and one RCE (Remote Code Execution) chained together.
More precisely, these vulnerabilities have been referenced to the ZDI (Zero Day Initiative). There is ZDI-CAN-18333 with a score of 8.8 and ZDI-CAN-18802 with a score of 6.3. The CVEs have just been published, as CVE-2022-41040 and CVE-2022-41082, the latter being scored CVSS 3.1 to 9.6.
These vulnerabilities are very close to ProxyShell discovered in 2021 (CVE-2021-34473), so much so that we can wonder if they are really new vulnerabilities. However, as the patched versions of Exchange are vulnerable to these new exploitation techniques, it's indeed new vulnerabilities. Behind the name "ProxyNotShell" are these two vulnerabilities.
Technical details of ProxyNotShell vulnerabilities
The RCE vulnerability impacts Windows Exchange servers 2013, 2016 and 2019 on-premise and having Outlook Web Access enabled.
To exploit it, an attacker will cause a custom-prepared "autodiscover" SOAP request to be sent, in a format similar to the ProxyShell vulnerability, of type : POST /firstname.lastname@example.org/PowerShell/ [...] HTTP/1.1
This type of request will cause the remote execution of PowerShell code, in order, for example, to drop a Web Shell on the server and take control of it remotely.
As the Exchange process has a high level of privilege, this is a very effective way to take full control of the server.
Impacted version by ProxyNotShell vulnerabilities
Les versions de Microsoft Exchange 2013, 2016 et 2019 sont impactées.
Protection means by Stormshield
Stormshield Network Security
A IPS signature has been published on SNS, it allows to detect the exploitation of the RCE vulnerability. This signature requires a prior SSL decryption to be functional.
- http:url:decoded → Exploitation of Microsoft Exchange ProxyNotShell vulnerability (CVE-2022-41040, CVE-2022-41082)
Confidence rating of Stormshield's protection
Confidence rating of no false positives
Stormshield Endpoint Security Evolution
With the SES solution (7.2 and Evolution) installed on the Exchange server, it will be possible to detect possible malicious behaviors following the exploitation of the vulnerability.
We have published a security policy consisting of 2 sets of rules (for SES Evolution 2.3 and above) to detect the presence of the file (Hash) tags listed in this document and to block connections to C2 servers.
This security policy is available in the update server and is called "Stormshield - Windows server policy". It includes the following rule sets:
- Stormshield - Blocklist ruleset for network communication to known malicious actors
- Stormshield - Audits for known dangerous behaviour
Microsoft has released a first tool (EOMTv2), which provides administrators with mitigation measures for the CVE-2022-41040 vulnerability. It is important to note that the script must be run individually for each server.
IOCs and useful information
The following indicators of compromise have been integrated into our protection solutions (Breach Fighter, SNS & SES).
File names and hash:
IP & URL