Microsoft has officially announced that it is investigating two zero-day security flaws in Exchange Server 2013, 2016, and 2019, following reports on in-the-wild exploitation.
The first vulnerability is CVE-2022-4040 and the second is CVE-2022-4082. It allows remote code execution (RCE) when PowerShell can be accessed by the attacker," said.
The company confirmed that it is aware of a "limited targeted attack" to gain initial access to targeted systems. However, the company stressed that authenticated access to vulnerable Exchange Servers is necessary to ensure successful exploitation.
Microsoft reveals that both flaws can be linked in an exploit chain. The SSRF bug allows an authenticated adversary remote to trigger arbitrary code execution.
Redmond-based Microsoft also confirmed it is working on an "accelerated timeline” to push a fix. It also urged premises Microsoft Exchange customers, to add a blocking Rule in IIS Manager as a temporary workaround to mitigate possible threats. Microsoft Exchange Online customers are not affected by this change. These are the steps to add the blocking rules:
Open the IIS Manager
Expand the Default Web Site
Select Autodiscover
In the Feature View, click URL Rewrite
In the Actions pane on the right-hand side, click Add Rules
Select Request Blocking and click OK
Add String ".*autodiscover\.json.*\@.*Powershell.*" (excluding quotes) and click OK
Expand the rule and select the rule with the Pattern ".*autodiscover\.json.*\@.*Powershell.*" and click Edit under Conditions
Change the condition input from {URL} to {REQUEST_URI}