After Microsoft published guidance on mitigating the two remote code execution flaws uncovered last week by Vietnamese security firm GTSC, it seems the mitigations Microsoft suggested weren’t as effective as the company had hoped.
Over the weekend, Vietnamese security researcher Jang warned, “The URL pattern to detect/prevent the Exchange 0day provided in MSRC’s blog post can easily be bypassed,” suggesting that the following pattern might work instead: .*autodiscover\.json.*Powershell.*
Will Dormann, senior vulnerability analyst at management consulting firm Analygence, concurred, noting, “The ‘@’ in the Microsoft-recommended “.*autodiscover\.json.*\@.*Powershell.*” URL block mitigations for CVE-2022-41040 CVE-2022-41082 seems unnecessarily precise, and therefore insufficient.” Dorman agreed that Jang’s alternate pattern should work.
Updated Microsoft Guidance
Soon after, GTSC updated its blog post on the vulnerabilities, writing, “After receiving information from Jang (@testanull), we noticed that the regex used in the Rewrite Rule could be bypassed,” agreeing with Jang’s suggested fix and linking to a video demonstrating the issue.
Yesterday, Microsoft updated its own guidance to match Jang’s advice, but it did so without crediting Jang. “Important updates have been made to the Mitigations section improving the URL Rewrite rule,” the company wrote. Microsoft also urged Exchange Server customers to disable remote PowerShell access for non-admin users.
Security researcher Kevin Beaumont, who dubbed the flaws “ProxyNotShell” for their similarities to the ProxyShell vulnerabilities, observed, “[They] have ‘improved’ the rule, but using @testanull’s one.”
Tenable senior research engineer Claire Tills said the key difference between ProxyNotShell and ProxyShell is that the new flaws require authentication whereas ProxyShell did not. “ProxyShell was and remains one of the most exploited attack chains released in 2021,” she noted.
Hybrid and On-Premises Exchange Deployments Affected
In a blog post, Beaumont wrote, “If you manually applied this mitigation you need to manually *change* the mitigation string above. If you ran EOMTv2, you need to redownload the script and run it again. The EOMTv2 website doesn’t say the script has changed — so make sure your admins have the right script.”
Beaumont separately noted that while Microsoft claimed in its guidance that Exchange Online customers don’t need to do anything, Exchange Online customers with hybrid deployments including both on-premises and online do need to take action.
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has listed both flaws as Known Exploited Vulnerabilities.
Scammers Take to GitHub
Scammers quickly jumped on the new flaws’ high profile by trying to “sell” them on GitHub in exchange for Bitcoin. In response, Huntress security researcher John Hammond responded by reporting several of the scammers to GitHub.
These scams appear to be a growing trend. Security researcher Koley noted, “This has been very common with big zero days for the last year or so. GitHub has done nothing to assist.” Another researcher, Rusty, added, “This has been a thing the last few months, been getting popular. I remember the very first one the dude took the effort to create a whole fake POC in python that just echo’d ‘hacking’ looking text. Now they just copy/paste from blogs, and do it for every. single. CVE.”