Does Palo Alto Networks have coverage for (Microsoft Exchange Server SSRF Vulnerability) CVE-2022-41040 and CVE-2022-41082?
Question
Does Palo Alto Networks have coverage for (Microsoft Exchange Server SSRF Vulnerability) CVE-2022-41040 and CVE-2022-41082?
Environment
- PAN-OS
- Vulnerability Protection (IPS)
- Anti-Virus
Answer
Unit42 Threat Brief:
https://unit42.paloaltonetworks.com/proxynotshell-cve-2022-41040-cve-2022-41082/#post-125265-_rx7hmjhu7g8j
On 09/29/2022 Microsoft announced a New 0-day exploit for Exchange server which is also knowns as ProxyNotShell
https://msrc-blog.microsoft.com/2022/09/29/customer-guidance-for-reported-zero-day-vulnerabilities-in-microsoft-exchange-server/
https://msrc-blog.microsoft.com/2022/09/29/customer-guidance-for-reported-zero-day-vulnerabilities-in-microsoft-exchange-server/
At this time, Microsoft is aware of limited targeted attacks using the two vulnerabilities to get into users’ systems. In these attacks, CVE-2022-41040 can enable an authenticated attacker to remotely trigger CVE-2022-41082.
It should be noted that authenticated access to the vulnerable Exchange Server is necessary to successfully exploit either of the two vulnerabilities.
Coverage:
Vulnerability signature Threat ID 91368 (Microsoft Exchange Server SSRF Vulnerability) has been updated in Application and Threat version 8624 for coverage of CVE-2022-41040.
We are working with Microsoft and actively monitoring for potential coverage for CVE-2022-41082. Please keep in mind this attack is a chain, and coverage for CVE-2022-41040 provides protection from the beginning of the chain.
Vendor Article:
https://www.gteltsc.vn/blog/warning-new-attack-campaign-utilized-a-new-0day-rce-vulnerability-on-microsoft-exchange-server-12715.html
Mitre:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-41040
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-41082
Mitigations:
Microsoft Exchange Online Customers do not need to take any action. On premises Microsoft Exchange customers should review and apply the following URL Rewrite Instructions and block exposed Remote PowerShell ports.
The current mitigation is to add a blocking rule in “IIS Manager -> Default Web Site -> Autodiscover -> URL Rewrite -> Actions” to block the known attack patterns.
Microsoft has confirmed that the following URL Rewrite Instructions, which are currently being discussed publicly, are successful in breaking current attack chains.
Open the IIS Manager.
Expand the Default Web Site.
Select Autodiscover.
In the Feature View, click URL Rewrite.
Details for mitigations found here:
https://msrc-blog.microsoft.com/2022/09/29/customer-guidance-for-reported-zero-day-vulnerabilities-in-microsoft-exchange-server/
Detections found here as well:
https://msrc-blog.microsoft.com/2022/09/29/customer-guidance-for-reported-zero-day-vulnerabilities-in-microsoft-exchange-server/
We will update this KCS as details emerge.
Additional Information
https://www.computerworld.com/article/2502766/microsoft-may-have-leaked-attack-code-for-critical-windows-bug--says-researcher.html
https://doublepulsar.com/proxynotshell-the-story-of-the-claimed-zero-day-in-microsoft-exchange-5c63d963a9e9?gi=a93e3830b690