Threat Intelligence Alert: Microsoft Exchange Server - Zero Day Vulnerability
Incident Report for Pulsant Service
Removing threat intelligence banner from Status page.
Posted Jan 26, 2023 - 17:16 GMT
Microsoft has released their November 2022 security update for Exchange Server, which includes fixes for this zero-day vulnerability. (CVE-2022-41040 and CVE-2022-41082)

Pulsant urge our clients to review the information on the Microsoft download page, and install this critical fix for all of your Microsoft Exchange Servers.

For Pulsant Managed clients, we will be in contact shortly to schedule the update.
Posted Nov 10, 2022 - 11:22 GMT
We are continuing to work on a fix for this issue.
Posted Oct 05, 2022 - 09:54 BST
Overnight, Microsoft have updated their recommendations and stated that the revised regex should be applied.

Follow this link for official MS guidance:
Posted Sep 30, 2022 - 12:31 BST
Microsoft have now publicly acknowledged the zero-day, and are supplementing the URL rewrite remediation step with a second recommendation.

Authenticated attackers who can access PowerShell Remoting on vulnerable Exchange systems will be able to trigger remote code injection using CVE-2022-41082. Blocking the ports used for Remote PowerShell can limit these attacks.

HTTP: 5985
HTTPS: 5986

Pulsant recommend adding this to any remediation action. The PowerShell port blocking should only need to be done for inbound requests going to the Exchange server infrastructure.
Posted Sep 30, 2022 - 12:25 BST
We are continuing to monitor the situation
Posted Sep 30, 2022 - 12:23 BST
Pulsant Cyber Security have become aware of a zero-day vulnerability affecting MS Exchange Servers (On Premise). As a zero-day vulnerability, there is no available vendor patch at this time.

**UPDATE 31/10/2022 WORK AROUND NO LONGER VALID** As a temporary workaround (until patches are released), clients may wish to add an IIS (internet information services) server rule to temporarily block exploitation attempts via the URL rewrite rule module.

1. In Autodiscover at FrontEnd, select tab URL Rewrite, and then Request Blocking.
2. Add string “.*autodiscover\.json.*\@.*Powershell.*“ to the URL Path.
3. Condition input: Choose {REQUEST_URI}

Once patches are released from Microsoft, it is recommended that a patch is applied without delay.

Pulsant Cyber Security will continue to closely monitor this situation and provide updates.

Useful Links:
Posted Sep 30, 2022 - 12:22 BST
This incident affected: Threat Intelligence Alert.