Is Your Microsoft Exchange Server Vulnerable to ProxyNotShell Flaw?
According to the non-profit Shadowserver Foundation, there are approximately 60,000 IP addresses with internet-facing Microsoft Exchange Server instances still vulnerable to CVE-2022-41082.
This might look like a standard Exchange Server bug, but it’s actually a lot worse. It’s really two flaws in one. The first flaw is a server-side request forgery in the Exchange API. The second is a remote code execution bug. We call this bug ProxyNotShell because it’s reminiscent of the ProxyShell bugs that plagued Microsoft servers earlier this year.
Microsoft did not patch this vulnerability until its November Patch Tuesday release. It was a long wait, but Microsoft said it was necessary to protect customers. You should still take action, though — follow Microsoft’s instructions for the Autodiscover endpoint to mitigate the vulnerability until it can be patched.
However, CrowdStrike published a blog post last month revealing a new exploit chain called “OWASSRF” that can bypass Microsoft’s URL Rewrite tools. OWASSRF combines the ProxyNotShell bug CVE-2022-41082 with an elevation of privilege flaw CVE-2022-41080 and has been used in several Play ransomware attacks in recent weeks.
If a company is still using an old fix for the new chain, they are at risk. The new chain is particularly dangerous because it affects organizations that had already patched the previous one. CrowdStrike and Rapid7 have both seen an increase in Exchange Server compromises involving the new chain.
A nonprofit cybersecurity group called Shadowserver has been scanning for IP addresses with instances of Microsoft Exchange that are likely vulnerable to CVE-2022-41082. On Dec. 21, the day after CrowdStrike’s research went live, Shadowserver found 83,946 IP addresses. As of Jan. 2, that number dropped to 60,865.
It was recommended to update your vulnerable Microsoft Exchange servers as soon as possible.