Removing threat intelligence banner from Status page.
Posted Jan 26, 2023 - 17:16 GMT
Update
Microsoft has released their November 2022 security update for Exchange Server, which includes fixes for this zero-day vulnerability. (CVE-2022-41040 and CVE-2022-41082)
Microsoft have now publicly acknowledged the zero-day, and are supplementing the URL rewrite remediation step with a second recommendation.
Authenticated attackers who can access PowerShell Remoting on vulnerable Exchange systems will be able to trigger remote code injection using CVE-2022-41082. Blocking the ports used for Remote PowerShell can limit these attacks.
HTTP: 5985 HTTPS: 5986
Pulsant recommend adding this to any remediation action. The PowerShell port blocking should only need to be done for inbound requests going to the Exchange server infrastructure.
Posted Sep 30, 2022 - 12:25 BST
Update
We are continuing to monitor the situation
Posted Sep 30, 2022 - 12:23 BST
Identified
Pulsant Cyber Security have become aware of a zero-day vulnerability affecting MS Exchange Servers (On Premise). As a zero-day vulnerability, there is no available vendor patch at this time.
**UPDATE 31/10/2022 WORK AROUND NO LONGER VALID** As a temporary workaround (until patches are released), clients may wish to add an IIS (internet information services) server rule to temporarily block exploitation attempts via the URL rewrite rule module.
1. In Autodiscover at FrontEnd, select tab URL Rewrite, and then Request Blocking. 2. Add string “.*autodiscover\.json.*\@.*Powershell.*“ to the URL Path. 3. Condition input: Choose {REQUEST_URI}
Once patches are released from Microsoft, it is recommended that a patch is applied without delay.
Pulsant Cyber Security will continue to closely monitor this situation and provide updates.