Last updated: Wednesday, November 9, 2022, at 11:45 a.m. PST
This post will be continuously updated as new information is made available.
On November 8, 2022, Microsoft released security updates for the ProxyNotShell vulnerability. We recommend applying this patch immediately. Reference the Microsoft Security Response Center page for detailed instructions.
Top Things You Should Know About The ProxyNotShell Vulnerability
- This vulnerability is a critical issue for on-premise Microsoft Exchange Server environments. An attacker needs valid credentials (i.e., a username and password) in order to exploit these vulnerabilities, but the credentials can be from any user, not just admin/privileged users.
- Exploit of this vulnerability depends on Outlook Web Application (OWA) being in use/accessible to the Internet. Each Microsoft Exchange on-premise server with Outlook Web Application (OWA) exposed to the Internet is potentially vulnerable to exploitation.
- On November 8, Microsoft released a patch that addresses the vulnerability. We recommend applying the patch as soon as possible. Reference the Microsoft Security Response Center page for detailed instructions.
- If you cannot apply the patch released on November 8, we recommend that you apply the mitigation guidance detailed on Microsoft’s ProxyNotShell Security Response Center page.
- This vulnerability only applies to on-premise Microsoft Exchange Server. Exchange Online customers and Office 365 users do not need to take any action. However, organizations that use Exchange Online may still be affected if they run a hybrid server (i.e., a Microsoft Exchange Server providing mail routing between on-premises and Exchange Online). Any local Exchange servers running in a hybrid environment may also be subject to these vulnerabilities.
- We are in contact with customers vulnerable to ProxyNotShell and are working with them to help respond.
Read on for more information about the issue and, more importantly, how to respond.
ProxyNotShell Vulnerability Overview
There are two critical Microsoft Exchange Server on-premises vulnerabilities (comprising the “ProxyNotShell” vulnerability) being actively exploited by attackers in combination to compromise systems. Based on the nature of the vulnerability, once an attacker has access and control of a system, they can perform a myriad of malicious objectives, including launching ransomware attacks.
Microsoft is investigating two reported zero-day vulnerabilities affecting Microsoft Exchange Server 2013, Exchange Server 2016, and Exchange Server 2019. The first one, identified as CVE-2022-41040, is a Server-Side Request Forgery (SSRF) vulnerability, and the second one, identified as CVE-2022-41082, allows Remote Code Execution (RCE) when PowerShell is accessible to the attacker.
Currently, Microsoft is aware of limited targeted attacks using these two vulnerabilities. In these attacks, CVE-2022-41040 can enable an authenticated attacker to remotely trigger CVE-2022-41082. It should be noted that authenticated access to the vulnerable Exchange Server is necessary to successfully exploit either vulnerability.
How To Mitigate The Vulnerability
We recommend checking all Microsoft Exchange Server products, including third-party products, for vulnerable versions. Vulnerable versions of ProxyNotShell include Exchange Server 2013, Exchange Server 2016, and Exchange Server 2019.
If your version is vulnerable, apply the patch that Microsoft released on November 8. Update instructions are available on the Security Response Center page. If you cannot apply the patch, we recommend applying Microsoft’s mitigation guidance to reduce exposure.
Exchange Emergency Mitigation Service (EEMS):
In September 2021, the Microsoft Exchange team launched a program named Exchange Emergency Mitigation Service (EEMS) that enables Microsoft to push mitigation to clients automatically. Therefore, if you opted for this program by installing an Exchange update (on or after September 2021), Microsoft has already pushed mitigation to your Exchange Server (however, this EEMS mitigation option excludes Exchange Server 2013).
Customers with Microsoft Exchange Server 2016 and 2019 are encouraged to install EEMS in order for Microsoft to remotely push updated mitigations to these servers as they are available. Again, EEMS won’t work for older versions of Exchange, notably Exchange Server 2013, but we still encourage all applicable on-premise Microsoft Exchange Server customers to install EEMS.
Manual Mitigation Methods:
Microsoft recommends the following interim mitigation steps. Please note: These steps should be considered as a temporary solution only. All systems should be patched as soon as possible.
- Vulnerable Microsoft customers should add a blocking rule in “IIS Manager -> Default Web Site -> URL Rewrite -> Actions” to block the known attack patterns. Microsoft has confirmed that these URL rewrite instructions are successful in breaking the current attack chain.
- Options to implement the blocking rule are found in the Microsoft blog: https://msrc-blog.microsoft.com/2022/09/29/customer-guidance-for-reported-zero-day-vulnerabilities-in-microsoft-exchange-server/
- Additionally, blocking the ports used for Remote PowerShell can limit the impact of these vulnerabilities:
- HTTP: 5985
- HTTPS: 5986
What Else Can I Do To Reduce Exposure?
In addition to the patch and the above mitigation measures, At-Bay recommends the following:
- Limit/turn off Outlook Web Application (OWA): Unless it is absolutely necessary, consider disabling OWA altogether, which removes the issue. If OWA is used in your organization, access to it should be limited to specific IP addresses, and any such remote access to email should be required over VPN.
- Expedite installation of EEMS: Install EEMS now so that Microsoft can ensure updated mitigations are applied to your systems as soon as possible.
- Install latest updates/patches: If you are behind on your Microsoft Exchange Server updates, get the latest versions installed now, so that it will be faster for you to apply patches/updates when they are available.
- Review access controls: Ensure admin passwords are complex and require multi-factor authentication (MFA). Consider a global password change for all users.
- Enhance security controls: MFA on all user accounts helps reduce the likelihood of unauthorized access, and EDR on servers and end-point security enhance your ability to identify active threats and respond more quickly to help protect your organization.
- Make sure your backups are in good working order: Good backups often make the difference between a mild exposure and a severe one.
- Ensure that logs are stored under limited privileges: Limited privileges makes it harder for attackers to cover their tracks, thus making malicious activity easier to discover.
Microsoft Security Response Center:
Microsoft Exchange Emergency Mitigation Service:
Other Blog Posts:
This alert does not modify or invalidate any of the provisions, exclusions, terms, or conditions of your Policy and its endorsements. At-Bay security services should not be considered a replacement for comprehensive vulnerability risk management or a standalone cyber security solution.