Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Cyberwarfare

Mitigation for ProxyNotShell Exchange Vulnerabilities Easily Bypassed

A mitigation proposed by Microsoft and others for the new Exchange Server zero-day vulnerabilities named ProxyNotShell can be easily bypassed, researchers warn.

The security holes, officially tracked as CVE-2022-41040 and CVE-2022-41082, can allow an attacker to remotely execute arbitrary code with elevated privileges.

A mitigation proposed by Microsoft and others for the new Exchange Server zero-day vulnerabilities named ProxyNotShell can be easily bypassed, researchers warn.

The security holes, officially tracked as CVE-2022-41040 and CVE-2022-41082, can allow an attacker to remotely execute arbitrary code with elevated privileges.

Researcher Kevin Beaumont named the vulnerabilities ProxyNotShell due to similarities to the Exchange vulnerability dubbed ProxyShell, which has been exploited in the wild for more than a year. It seems that Microsoft’s patches for ProxyShell do not completely remove an attack vector.

However, unlike ProxyShell, the new issues can only be exploited by an authenticated attacker, although even standard email user credentials are sufficient.

The high-severity flaws were discovered and reported to Microsoft by Vietnamese cybersecurity company GTSC, whose researchers saw them being exploited in August by a threat actor believed to be linked to China.

Microsoft’s own analysis indicates that a single state-sponsored threat group has chained the Exchange vulnerabilities in attacks aimed at fewer than 10 organizations, but the tech giant expects other malicious actors to start leveraging them in their attacks.

Patches for these vulnerabilities have yet to be released, but Microsoft says it’s working on fixes on an accelerated timeline.

In the meantime, GTSC and Microsoft have proposed a mitigation that involves setting a URL rewrite rule that should block attack attempts. However, a researcher known as Jang noted that the rule is not efficient and can be easily bypassed. Jang did propose a very similar rule that should work.

Advertisement. Scroll to continue reading.

The CERT Coordination Center at Carnegie Mellon University has released its own advisory for CVE-2022-41040 and CVE-2022-41082, and provided an explanation regarding the problematic mitigation.

ProxyNotShell mitigation

Microsoft has released a tool that should automate the mitigation, but at this point it likely applies the rule that can be bypassed.

While details have not been made public for the vulnerabilities in order to prevent abuse, some individuals have been offering ProxyNotShell proof-of-concept (PoC) exploits that have turned out to be fake.

However, some members of the security industry do have working exploits, Beaumont said.

Since exploitation of the vulnerabilities requires authentication, mass exploitation is unlikely at this point, but the flaws can be very valuable in targeted attacks. Some members of the cybersecurity community have released open source tools that can be used to detect the presence of the vulnerabilities.

Microsoft has told Exchange Online customers that they don’t need to take any action, but Beaumont believes that is not true.

Related: Microsoft Links Exploitation of Exchange Zero-Days to State-Sponsored Hacker Group

Related: Microsoft Exchange Attacks: Zero-Day or New ProxyShell Exploit?

Written By

Eduard Kovacs (@EduardKovacs) is a managing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Understand how to go beyond effectively communicating new security strategies and recommendations.

Register

Join us for an in depth exploration of the critical nature of software and vendor supply chain security issues with a focus on understanding how attacks against identity infrastructure come with major cascading effects.

Register

Expert Insights

Related Content

Vulnerabilities

Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Cybercrime

The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.

Cybercrime

A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

Data Breaches

OpenAI has confirmed a ChatGPT data breach on the same day a security firm reported seeing the use of a component affected by an...

Cyberwarfare

WASHINGTON - Cyberattacks are the most serious threat facing the United States, even more so than terrorism, according to American defense experts. Almost half...

IoT Security

A group of seven security researchers have discovered numerous vulnerabilities in vehicles from 16 car makers, including bugs that allowed them to control car...

Vulnerabilities

A researcher at IOActive discovered that home security systems from SimpliSafe are plagued by a vulnerability that allows tech savvy burglars to remotely disable...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...