Microsoft updates guidance for ‘ProxyNotShell’ bugs after researchers get around mitigations
Microsoft has updated the guidance it provided for two zero-day vulnerabilities discovered last week affecting Exchange Server software.
The original guidance provided for the bugs, which are known colloquially as “ProxyNotShell”, was found to be insufficient in addressing the issues, according to several security researchers who spent the weekend examining it.
Dray Agha, senior threatOps analyst team lead at cybersecurity firm Huntress, explained that the original mitigations provided by Microsoft were “unfortunately easy to maliciously subvert.”
“Those who applied the original mitigations were still vulnerable due to this mitigation bypass," he said. As of Tuesday, Microsoft has "re-updated the script that will automate mitigations, with this bypass in mind.”
“Unfortunately, we are likely to see this become a game of cat-and-mouse, as adversaries and security researchers alike find new ways to bypass the mitigations from Microsoft."
Last week, Microsoft confirmed it was investigating the issues following a report from Vietnamese cybersecurity firm GTSC that the vulnerabilities are being exploited in the wild. GTSC reported the issue to Trend Micro’s Zero Day Initiative, which confirmed the bugs.
Microsoft said it observed attacks using the bugs “in fewer than 10 organizations globally.”
“MSTIC assesses with medium confidence that the single activity group is likely to be a state-sponsored organization,” the company’s security team explained.
One is what’s known as a server-side request forgery vulnerability, designated as CVE-2022-41040, which can allow an attacker with credentials for a user account on the mail server to gain unauthorized levels of access. The second vulnerability, identified as CVE-2022-41082, allows remote code execution similar to the 2021 ProxyShell issues that caused chaos for many companies. GTSC said it was not yet comfortable releasing the technical details for the vulnerabilities.
Remote code execution vulnerabilities are considered especially dangerous because they give attackers the power to make changes to victims’ systems. Email services are also key to many day-to-day operations and may contain sensitive information, making them attractive targets for attackers.
The Cybersecurity and Infrastructure Security Agency (CISA) added both bugs to its list of known exploited vulnerabilities hours after they were discovered, while Microsoft confirmed on Thursday that the problems are currently being exploited and affect those running Microsoft Exchange Server 2013, 2016, and 2019 on premise.
Huntress senior security researcher John Hammond confirmed that Microsoft’s original mitigation guidance could be easily circumvented but noted that Microsoft has provided updated automated tools that provide the best protection while an official patch is in the works.
Chester Wisniewski, principal research scientist at Sophos, said there is an “extremely small number of victims known to have been targeted with this vulnerability, which is buying us all a little bit of time to implement mitigations and prepare for fixes when Microsoft is able to provide them.”
“We are all still waiting for an official patch,” Wisniewski said. “IT teams should be at the ready to apply the official patch as quickly as possible when it is published, as we expect attackers will reverse engineer the fix to determine how to exploit this flaw in short order upon being made available.”
Tenable’s Claire Tills explained that the bugs appear to be variants of ProxyShell — a chain of vulnerabilities disclosed in late 2021.
The key difference, according to Tills, is that both of the latest vulnerabilities require authentication where ProxyShell did not.
ProxyShell, she added, “was and remains one of the most exploited attack chains released in 2021.”
Cybercriminal interest
Both vulnerabilities are being spotlighted on cybercriminal forums, according to researchers from cybersecurity firm Flashpoint.
Several researchers said they saw fake exploits for the bug being sold on GitHub, and Flashpoint researchers told The Record that they saw an exploit being sold for $250,000 on Russian-language hacking and malware forum Exploit. They were unable to verify whether the exploit was real or another fake.
Flashpoint, like several other experts, also took issue with Microsoft’s insistence that Microsoft Exchange Online customers do not need to take any action. Flashpoint researchers said this could lull customers into a false sense of security, whereby the customer migrated to Exchange Online but kept a hybrid on-premise server as well.
“In this instance, it would still be the customer's onus to self-mitigate the hybrid server,” they said.
“Per Microsoft's own guidance regarding exchange server updates in general: ‘Even if you are only using Exchange Server on-premises to manage Exchange-related objects, you need to keep the server current.’”
Microsoft did not respond to requests for comment, only pointing The Record to the original mitigation document.
Unfortunately, several researchers have already found ways around the updated mitigations Microsoft recently released.
There's a bypass to the fix to the bypass to the mitigation for ProxyNotShell / CVE-2022-41040. https://t.co/uzQUqRrV7U
— Will Dormann (@wdormann) October 5, 2022
Because characters can be encoded, looking for ".*autodiscover.json.*Powershell.*" in {REQUEST_URI} isn't sufficient.
Use {UrlDecode:{REQUEST_URI}} instead!
Mike Parkin, senior technical engineer at Vulcan Cyber, noted that the updated recommendation shows the pitfalls of creating mitigations that are designed around a specific threat without necessarily taking into account other attacks that could bypass the specific temporary solution.
“Hopefully, Microsoft will release a patch soon that will address the numerous on-premises Exchange servers that are potentially vulnerable,” he said.
Jonathan Greig
is a Breaking News Reporter at Recorded Future News. Jonathan has worked across the globe as a journalist since 2014. Before moving back to New York City, he worked for news outlets in South Africa, Jordan and Cambodia. He previously covered cybersecurity at ZDNet and TechRepublic.