Yesterday, Microsoft finally released their patches for the Exchange 0-day exploits that were made public back in September 2022, going by the names of CVE-2022-41040 and CVE-2022-41082.
The full list of patched vulnerabilities patched are:
- CVE-2022-41040 – Microsoft Exchange Server Elevation of Privilege Vulnerability
- CVE-2022-41082 – Microsoft Exchange Server Elevation of Privilege Vulnerability
- CVE-2022-41078 – Microsoft Exchange Server Elevation of Privilege Vulnerability
- CVE-2022-41123 – Microsoft Exchange Server Elevation of Privilege Vulnerability
- CVE-2022-41079 – Microsoft Exchange Server Elevation of Privilege Vulnerability
- CVE-2022-41080 – Microsoft Exchange Server Elevation of Privilege Vulnerability
The exploits forced IT teams across the globe to quickly mitigate the vulnerabilities, only to find that several iterations of the mitigation itself were flawed and had to be modified several times to prevent attackers from bypassing the mitigation.
Microsoft seems to have taken a very relaxed approach to this 0-day, as if on-premises servers are not their focus anymore. IT teams have had to wait over a month for a patch to a vulnerability chain that could lead to a remote code execution attack.
The patch (KB5019758) comes in the form of a cumulative update which applies to Exchange Server 2013/2016/2019. The patch is available via the usual Windows Update procedure.
Executive Summary
If you have not yet mitigated this vulnerability, you should do so as soon as possible, either by installing this latest patch or applying the mitigation-supplied Exchange Mitigation Tool. If you have just seen this, it might be a good idea to check for indicators of compromise on your exchange servers. This can be done by running the following PowerShell on the exchange front end.
Get-ChildItem -Recurse -Path <Path_IIS_Logs> -Filter "*.log" | Select-String -Pattern 'powershell.*autodiscover\.json.*\@.*200'
If logs are present, then you will need to take steps to analyse the attack further and attempt to contain the attack.