My Pulsant
Threat Intelligence Alert: Microsoft Exchange Server - Zero Day Vulnerability
Incident
Report for Pulsant Service
Resolved
Removing threat intelligence banner from Status page.
Update
Microsoft has released their November 2022 security update for Exchange Server, which includes fixes for this zero-day vulnerability. (CVE-2022-41040 and CVE-2022-41082)
Pulsant urge our clients to review the information on the Microsoft download page, and install this critical fix for all of your Microsoft Exchange Servers. https://support.microsoft.com/en-us/topic/description-of-the-security-update-for-microsoft-exchange-server-2019-2016-and-2013-november-8-2022-kb5019758-2b3b039b-68b9-4f35-9064-6b286f495b1d
For Pulsant Managed clients, we will be in contact shortly to schedule the update.
Pulsant urge our clients to review the information on the Microsoft download page, and install this critical fix for all of your Microsoft Exchange Servers. https://support.microsoft.com/en-us/topic/description-of-the-security-update-for-microsoft-exchange-server-2019-2016-and-2013-november-8-2022-kb5019758-2b3b039b-68b9-4f35-9064-6b286f495b1d
For Pulsant Managed clients, we will be in contact shortly to schedule the update.
Update
We are continuing to work on a fix for this issue.
Update
Overnight, Microsoft have updated their recommendations and stated that the revised regex should be applied.
Follow this link for official MS guidance:
https://msrc-blog.microsoft.com/2022/09/29/customer-guidance-for-reported-zero-day-vulnerabilities-in-microsoft-exchange-server/
Follow this link for official MS guidance:
https://msrc-blog.microsoft.com/2022/09/29/customer-guidance-for-reported-zero-day-vulnerabilities-in-microsoft-exchange-server/
Update
Microsoft have now publicly acknowledged the zero-day, and are supplementing the URL rewrite remediation step with a second recommendation.
Authenticated attackers who can access PowerShell Remoting on vulnerable Exchange systems will be able to trigger remote code injection using CVE-2022-41082. Blocking the ports used for Remote PowerShell can limit these attacks.
HTTP: 5985
HTTPS: 5986
Pulsant recommend adding this to any remediation action. The PowerShell port blocking should only need to be done for inbound requests going to the Exchange server infrastructure.
Authenticated attackers who can access PowerShell Remoting on vulnerable Exchange systems will be able to trigger remote code injection using CVE-2022-41082. Blocking the ports used for Remote PowerShell can limit these attacks.
HTTP: 5985
HTTPS: 5986
Pulsant recommend adding this to any remediation action. The PowerShell port blocking should only need to be done for inbound requests going to the Exchange server infrastructure.
Update
We are continuing to monitor the situation
Identified
Pulsant Cyber Security have become aware of a zero-day vulnerability affecting MS Exchange Servers (On Premise). As a zero-day vulnerability, there is no available vendor patch at this time.
**UPDATE 31/10/2022 WORK AROUND NO LONGER VALID** As a temporary workaround (until patches are released), clients may wish to add an IIS (internet information services) server rule to temporarily block exploitation attempts via the URL rewrite rule module.
1. In Autodiscover at FrontEnd, select tab URL Rewrite, and then Request Blocking.
2. Add string “.*autodiscover\.json.*\@.*Powershell.*“ to the URL Path.
3. Condition input: Choose {REQUEST_URI}
Once patches are released from Microsoft, it is recommended that a patch is applied without delay.
Pulsant Cyber Security will continue to closely monitor this situation and provide updates.
Useful Links: https://www.automox.com/blog/zero-day-microsoft-exchange
**UPDATE 31/10/2022 WORK AROUND NO LONGER VALID** As a temporary workaround (until patches are released), clients may wish to add an IIS (internet information services) server rule to temporarily block exploitation attempts via the URL rewrite rule module.
1. In Autodiscover at FrontEnd, select tab URL Rewrite, and then Request Blocking.
2. Add string “.*autodiscover\.json.*\@.*Powershell.*“ to the URL Path.
3. Condition input: Choose {REQUEST_URI}
Once patches are released from Microsoft, it is recommended that a patch is applied without delay.
Pulsant Cyber Security will continue to closely monitor this situation and provide updates.
Useful Links: https://www.automox.com/blog/zero-day-microsoft-exchange
This incident affected: Threat Intelligence Alert.