CIRT.GY | Many Exchange servers are still prone to ProxyNot

Many Exchange servers are still prone to ProxyNotShell attacks. (5th January 2023)

Ref# AL2023_02 | Date: Jan 5th 2023

Description

Exchange Servers are affected by security flaws known as ProxyNotShell (tracked as – CVE-2022-41082 and CVE-2022-41040). Attackers on compromised servers can escalate privileges and obtain arbitrary or remote code execution if the exploit is successful.

Summary

A combination of Exchange Server zero-day vulnerabilities known as ProxyNotShell were linked together by threat actors in a series of focused assaults after being initially publicly revealed in September. The first vulnerability, CVE-2022-41040, affects server-side request forgery, while the second, CVE-2022-41082, affects remote code execution. The phrase “ProxyNotShell” refers to the now-famous ProxyShell set of security issues made public in 2021.

However, CrowdStrike revealed that a fresh attack chain known as “OWASSRF” got beyond Microsoft”s URL Rewrite mitigations. OWASSRF, which combines the ProxyNotShell problem (CVE-2022-41082) and the elevation of privilege flaw (CVE-2022-41080), has recently been exploited in several Play ransomware attacks.

A cybersecurity non-profit called Shadowserver has been looking for IP addresses with Microsoft Exchange Server instances that are probably CVE-2022-41082 susceptible. However, on December 21, the day following the publication of CrowdStrike”s study, Shadowserver discovered 83,946 susceptible IP addresses. That number fell to 60,865 as of January 2.

Remediation

Applying Microsoft”s ProxyNotShell updates is necessary to protect your Exchange servers from incoming attacks. Although Microsoft offered mitigation strategies, attackers can still get around these. Only servers that have been fully patched are safe from attack. This issue was fixed in December 2022 Patch Tuesday which can be found at the following URL:
https://msrc.microsoft.com/update-guide/releaseNote/2022-Dec

The Guyana National CIRT recommends that users and administrators review this alert and apply it where necessary.

PDF Download: Many Exchange servers are still prone to ProxyNotShell attacks.pdf

References

Culafi, A. (2023, January 3). Many Exchange servers still vulnerable to ProxyNotShell flaw. Retrieved from TechTarget.
https://www.techtarget.com/searchsecurity/news/252528809/Many-Exchange-servers-still-vulnerable-to-ProxyNotShell-flaw
Gatlan, S. (2023, January 3). Over 60,000 Exchange servers vulnerable to ProxyNotShell attacks. Retrieved from BleepingComputer.
https://www.bleepingcomputer.com/news/security/over-60-000-exchange-servers-vulnerable-to-proxynotshell-attacks/