Microsoft updated the mitigation measures security teams should undertake for recently disclosed Exchange vulnerabilities that can lead to remote code execution after it was reported that previous measure can easily be bypassed.
Tracked as CVE-2022-41040 and CVE-2022-41082, the initial recommendations for the two vulnerabilities being referred to as "ProxyNotShell" were insufficient and were bypassed to exploit the bugs that were first disclosed by the Vietnamese security firm GTSC.
Microsoft later acknowledged the vulnerabilities, confirming in a post on its security blog that Microsoft Exchange Server 2013, 2016 and 2019 were affected by the Server-Side Request Forgery (CVE-2022-41040) and Remote Code Execution when PowerShell is accessible to the attacker (CVE-2022-41082).
Saying a fix was on an "accelerated schedule," Microsoft adopted the guidance first proposed by GTSC to use URL Rewrite rules as a mitigation, but reports soon followed that they were easily bypassed.
Microsoft issued further guidance on Oct. 4 to improve the URL Rewrite rule and urged customers to review and apply one of the updated mitigation options:
- Option 1: The EEMS rule is updated and is automatically applied.
- Option 2: The previously provided EOMTv2 script has been updated to include the URL Rewrite improvement.
- Option 3: The URL Rewrite rule instructions have been updated. The string in step 6 and step 9 has been revised. Steps 8, 9, and 10 have updated images.
