Microsoft Exchange Zero-day Vulnerabilities
Risk: HIGH
Severity: HIGH
WTS is bringing attention towards multiple emerging Microsoft Exchange Zero Day vulnerabilities which have been confirmed as being exploited. The Zero Days currently have no proof of concepts available and has not been assigned any CVE numbers as of yet. The SOC team will be closely monitoring the situation until a patch is available and will send out new information as it becomes available. These vulnerabilities have been reported to Microsoft and currently are tracked under ZDI-CAN18333 and ZDI-CAN18802.
If there are any concerns or questions please reach out to the SOC team.
Vendor: Microsoft
Microsoft Exchange zero-day (CVE Not Available Yet) (CVSS TBD)
Description:
Available information points to one of this being a remote code execution vulnerability.
Attack Vector:
The exploit works in two stages:
- Requests with a similar format to the ProxyShell vulnerability: autodiscover/autodiscover.json?@evil.com/<Exchange-backend-endpoint>&Email=autodiscover/autodiscover.json%3f@evil.com.
- The use of the link above to access a component in the backend where the RCE could be implemented.
Severity: High
Versions Affected:
- All on premise Microsoft Exchange servers
References:
https://www.bleepingcomputer.com/news/security/new-microsoft-exchange-zero-days-actively-exploited-in-attacks/
https://www.gteltsc.vn/blog/warning-new-attack-campaign-utilized-a-new-0day-rce-vulnerability-on-microsoft-exchange-server-12715.html
https://www.huntress.com/blog/new-0-day-vulnerabilities-found-in-microsoft-exchange
https://www.reddit.com/r/msp/comments/xrkfdf/threat_advisory_new_0day_vulnerabilities_found_in/
https://www.zerodayinitiative.com/advisories/upcoming/#:~:text=Zero%20Day%20Initiative-,ZDI%2DCAN%2D18802,-Microsoft
Mitigations:
Until Microsoft releases security updates to address the two zero-days, GTSC shared temporary mitigation that would block attack attempts by adding a new IIS server rule using the URL Rewrite Rule module:
- In Autodiscover at FrontEnd, select tab URL Rewrite, and then Request Blocking.
- Add string “.*autodiscover\.json.*\@.*Powershell.*“ to the URL Path.
- Condition input: Choose {REQUEST_URI}
Checking for Compromise
Admins who want to check if their Exchange servers have already been compromised using this exploit can run the following PowerShell command to scan IIS log files for indicators of compromise:
- Get-ChildItem -Recurse -Path <Path_IIS_Logs> -Filter "*.log" | Select-String -Pattern 'powershell.*autodiscover\.json.*\@.*200'
Reported Webshell Paths
- C:\ProgramFiles\Microsoft\Exchange Server\V15\FrontEnd\HttpProxy\owa\auth\RedirSuiteServiceProxy.aspx
- C:\inetpub\wwwroot\aspnet_client\Xml.ashx
- C:\ProgramFiles\Microsoft\Exchange Server\V15\FrontEnd\HttpProxy\owa\auth\pxh4HG1v.ashx
Published on and maintained in Cascade.
