Site icon Franky's Web

Exchange Server zero-day vulnerability is actively exploited

Frank Zöchling

Aktuell wird eine Zero-Day Schwachstelle in Exchange Server 2013, 2016 und 109 aktiv ausgenutzt. Aktuell gibt es noch kein Sicherheitsupdate für die folgenden Schwachstellen:

However, there is a remedy to avoid a successful attack. To prevent the vulnerability from being exploited, a rule can be created for the URL Rewrite feature. To do this, first select the autodiscover directory of the default website in the IIS Manager:

Unter dem Punkt „Add Rules…“ kann dann eine neue Regel erstellt werden:

Als Vorlage muss „Request blocking“ ausgewählt werden:

Im Feld „Pattern (URL Path“ wird nun der folgende String eingegeben:

(?=.*autodiscover)(?=.*powershell)

Note: The pattern has recently been adapted several times by Microsoft.

Das Feld „Using“ muss von „Wildcard“ auf „Regular Expressions“ umgestellt werden:

The newly added rule is now expanded and edited;

Im Feld „Condition input“ wird nun {URI} zu {REQUEST_URI} geändert:

The rule is now complete and prevents the current attack. As soon as a security update is available, it should be installed promptly.

Authenticated users with access to PowerShell Remoting could try to exploit the vulnerability CVE-2022-41082. However, since PowerShell Remoting is hopefully not accessible from the Internet in any environment, the attack vector here is limited to the local network. To make this attack more difficult, the two ports for PowerShell Remoting can be blocked on the Windows firewall:

Als Aktion wird „Block the connection“ ausgewählt:

The rule must now be given a name and can then be saved:

Further information on the vulnerability can be found under the following two links:

The first link also contains information on how to detect a successful attack.

Update 11.10.2022: The pattern has been updated several times by Microsoft. This article contains the current pattern.

Exit mobile version