Microsoft
officially
disclosed
it
investigating
two
zero-day
security
vulnerabilities
impacting
Exchange
Server
2013,
2016,
and
2019
following
reports
of
in-the-wild
exploitation.
“The
first
vulnerability,
identified
as
CVE-2022-41040,
is
a
Server-Side
Request
Forgery
(SSRF)
vulnerability,
while
the
second,
identified
as
CVE-2022-41082,
allows
remote
code
execution
(RCE)
when
PowerShell
is
accessible
to
the
attacker,”
the
tech
giant
said.
The
company
also
confirmed
that
it’s
aware
of “limited
targeted
attacks”
weaponizing
the
flaws
to
obtain
initial
access
to
targeted
systems,
but
emphasized
that
authenticated
access
to
the
vulnerable
Exchange
Server
is
required
to
achieve
successful
exploitation.
The
attacks
detailed
by
Microsoft
show
that
the
two
flaws
are
stringed
together
in
an
exploit
chain,
with
the
SSRF
bug
enabling
an
authenticated
adversary
to
remotely
trigger
arbitrary
code
execution.
The
Redmond-based
company
also
confirmed
that
it’s
working
on
an “accelerated
timeline”
to
push
a
fix,
while
urging
on
premises
Microsoft
Exchange
customers
to
add
a
blocking
rule
in
IIS
Manager
as
a
temporary
workaround
to
mitigate
potential
threats.
It’s
worth
noting
that
Microsoft
Exchange
Online
Customers
are
not
affected.
The
steps
to
add
the
blocking
rule
are
as
follows
–
-
Open
the
IIS
Manager -
Expand
the
Default
Web
Site -
Select
Autodiscover -
In
the
Feature
View,
click
URL
Rewrite -
In
the
Actions
pane
on
the
right-hand
side,
click
Add
Rules -
Select
Request
Blocking
and
click
OK -
Add
String “.*autodiscover\.json.*\@.*Powershell.*”
(excluding
quotes)
and
click
OK -
Expand
the
rule
and
select
the
rule
with
the
Pattern “.*autodiscover\.json.*\@.*Powershell.*”
and
click
Edit
under
Conditions -
Change
the
condition
input
from
{URL}
to
{REQUEST_URI}
