Two vulnerabilities for hosted Microsoft Exchange servers (CVE-2022-41040, CVE-2022-41082) have been identified as currently being exploited in organization environments. The vulnerabilities only exist within hosted (on premise) exchange servers and Microsoft reports the Microsoft Exchange Online has protections in place. Many clients have migrated their user base to Exchange Online or Microsoft Office365 but there may still be Exchange servers operating in the environment, being used for mail relays and other IT functions.
Overview of the Problem: Security researchers have identified 2 vulnerabilities in Microsoft Exchange Server 2013, 2016, and 2019. The 2 vulnerabilities can be chained to allow an attacker to escalate privilege within an environment.
There is currently no patch for these vulnerabilities, however Microsoft is aware and is working on a solution. Microsoft has stated they are working at an accelerated pace to patch this issue but has not released an anticipated patch date.
The vulnerabilities are listed below:
Exploitability: These vulnerabilities have exploits available and have been seen being leveraged.
Risk: The overall risk for these vulnerabilities is Medium for our clients; as most clients have moved away from on premise Exchange for their end users, but some may still have an Exchange server set-up for miscellaneous purposes (Mail relay, Azure AD sync, O365 sync, etc.).
Compensating Factors/Controls: There are several ways to determine if your organization is vulnerable to this vulnerability:
- Review your CMDB to see if you have Microsoft Exchange servers.
- Engage the IT team to determine if they are aware of legacy Exchange servers (even if they are no longer in use).
- Verify if ports 5985 and/or 5986 are open either, externally or internally.
Microsoft has also published several ways to mitigate the risk these vulnerabilities present, they are summarized in the below Recommendation section.
1. Review your environment for any Microsoft Exchange servers, Fortalice has seen legacy Exchange servers that, through lack of formalized decommissioning processes, have lingered in environments.
2. If you have any Exchange servers on premise follow the Microsoft guidelines for mitigations.
3. If you need additional assistance, we at Fortalice are willing to assist you in assessing your current risk and roadmapping you future cybersecurity posture.
Increasingly, cyber actors are employing LOTL attack, which blend (and obscure) their nefarious activities with legitimate tools and infrastructure already found (and regularly used) in your environment to mask their presence while greatly minimizing their chances of detection and attribution. Typically, the introduction of a third-part application generates an alert to the host from an endpoint detection and response (EXR) product. Unfortunately, LOTL enables the actor to skirt detection more easily and effectively.
On June 1, Progress Software (Progress) announced it had identified a vulnerability in its MOVEit File Transfer Tool. The vulnerability allowed cybercriminals to exploit a critical SQL injection that could lead to escalated privileges and potential unauthorized access to the environment.