The Blue Report 2024
Get a comprehensive analysis of over 136 million cyber attacks and understand the state of threat exposure management.
On September 30, 2022, Microsoft issued two vulnerabilities affecting Windows Exchange email servers. In a similar fashion to its predecessor, these vulnerabilities are named ProxyNotShell vulnerabilities. ProxyNotShell vulnerabilities are exploited by adversaries for remote code execution (RCE) in vulnerable Exchange servers in the wild. The victim statistics show that exploited Exchange servers were up-to-date and patched against ProxyShell vulnerabilities.
At the time of discovery, the ProxyNotShell vulnerabilities affected the latest versions of the Exchange server, and security professionals opted not to release a proof-of-concept for the vulnerabilities to limit their abuse. Microsoft patched Exchange Server on November 8, 2022, and organizations are advised to install the updates.
Picus Labs added new attack simulations for ProxyNotShell vulnerability exploitation attacks to Picus Threat Library. In this blog, we explain CVE-2022-41040 and CVE-2022-41082 vulnerabilities in detail.
Simulate Vulnerability Exploitation Attacks with 14-Day Free Trial of Picus Platform
What Is ProxyNotShell?
ProxyNotShell, like its predecessor ProxyShell, is not a single vulnerability but rather a collection of vulnerabilities that can be chained to gain control of Microsoft Exchange email servers. Since they affect the latest versions of Exchange Servers, the ProxyNotShell vulnerabilities are considered zero-day vulnerabilities.
CVE-2022–41040: The first one is a Server-Side Request Forgery (SSRF) vulnerability. This vulnerability allows an authenticated adversary to remotely trigger the second vulnerability, CVE-2022–41082.
CVE-2022–41082: This vulnerability allows Remote Code Execution (RCE) when PowerShell is accessible to the attacker.
Since the exploitation of the CVE-2022–41040 and CVE-2022–41082 follows the same attack flow and SSRF/RCE pair that adversaries leverage to exploit ProxyShell exploits but requires authenticated access to the Exchange Server, Kevin Beaumont named this chain of vulnerabilities ProxyNotShell, after its predecessors.
On November 8, 2022, Microsoft released updates for Exchange Server, and organizations are advised to update their Exchange Servers to the latest version.
What Was ProxyShell?
ProxyShell is the collective name for three vulnerabilities (CVE-2021-34473, CVE-2021-34523, CVE-2021-31207) affecting the unpatched and on-premise versions of Microsoft Exchange servers only. When these vulnerabilities are chained together, it enables adversaries to perform pre-authenticated remote code execution (RCE).
These vulnerabilities lie in the Microsoft Client Access Service (CAS) in the IIS web server. Unfortunately, due to its nature, CAS is publicly exposed to the Internet to enable users to access their email via their mobile devices and web browsers. This exposure helped attackers remotely execute arbitrary code on the compromised system, similar to HAFNIUM APT campaigns.
Even though Microsoft released and issued patches for each vulnerability in May-July 2021, we still see that threat actors like Hive Ransomware Gang are exploiting the three ProxyShell vulnerabilities in unpatched Microsoft Exchange Servers. Considering that two of the ProxyShell vulnerabilities have a CVSS score of 9.8 (Critical) and many unpatched on-premise Windows Exchange Servers, it is no surprise that adversaries keep targeting these vulnerabilities. Please visit our blog on simulation and preventing ProxyShell exploits for further information.
Technical Details of ProxyNotShell
The first vulnerability in the ProxyNotShell exploitation chain is CVE-2022–41040, and it is an unauthenticated Server-Side Request Forgery (SSRF) vulnerability found in the Exchange Autodiscover frontend. It has a CVSS score of 8.8 (High). Adversaries exploit the CVE-2022-41040 vulnerability to send an arbitrary request with a controlled URI and controlled data to an arbitrary backend service with LocalSystem privilege.
GET /autodiscover/autodiscover.json?@zdi/PowerShell?serializationLevel=Full;ExchClientVer=15.2.922.7;clientApplication=ManagementShell;TargetServer=;PSVersion=5.1.17763.592&Email=autodiscover/autodiscover.json%3F@zdi HTTP/1.1 |
Example 1: CVE-2022-41040 exploit PoC [1]
The second vulnerability in the ProxyNotShell chain is CVE-2022-41082, and it is a remote code execution vulnerability found in the Exchange PowerShell backend. It has a CVSS score of 8.8 (High). After bypassing authentication by abusing CVE-2022-41040, adversaries exploit CVE-2022-41082 to run arbitrary commands in vulnerable Exchange Servers.
Security professionals discovered these vulnerabilities after their successful exploitation in the wild. The log data shows that adversaries used the same format ProxyShell exploitation in 2021 in their exploit attempts.
Example 2: IIS logs of a successful exploit of ProxyShell vulnerabilities in 2021
After successful exploitation, adversaries insert a backdoor into Exchange servers to establish persistence and move on with lateral movement techniques to accomplish their objectives.
How Picus Helps Simulate ProxyNotShell Attacks?
We also strongly suggest simulating ProxyNotShell attacks to test the effectiveness of your security controls against vulnerability exploitation attacks using the Picus Complete Security Validation Platform. You can test your defenses against ProxyShell, Log4Shell, and hundreds of other vulnerabilities within minutes with a 14-day free trial of the Picus Platform.
Picus Threat Library includes the following threats for ProxyNotShell and other Microsoft Exchange vulnerabilities:
Threat ID |
Threat Name |
Attack Module |
|
23704 |
Microsoft Exchange Server ProxyNotShell Web Attack Campaign
|
Web Application |
|
24723 |
Microsoft Exchange Web Attack Campaign |
Web Application |
Moreover, Picus Threat Library contains 150+ threats containing 1500+ web application and vulnerability exploitation attacks in addition to 3500+ endpoint, malware, email, and data exfiltration threats as of today.
Picus also provides actionable mitigation content. Picus Mitigation Library includes prevention signatures to address malware attacks in preventive security controls. Currently, Picus Labs validated the following signatures:
Security Control |
Signature ID |
Signature Name |
Check PointNGFW |
asm_dynamic_prop_CVE_2022_41080 |
Microsoft Exchange Server Server-Side Request Forgery (CVE-2022-41080) |
Check Point NGFW |
asm_dynamic_prop_CVE_2022_41082 |
Microsoft Exchange Server Remote Code Execution (CVE-2022-41082) |
Cisco Firepower NGFW |
1.61042.1 |
SERVER-WEBAPP Microsoft Exchange Server remote code execution attempt |
Fortigate IPS |
50584 |
web_app3: MS.Exchange.Server.Autodiscover.Remote.Code.Execution |
Fortigate IPS |
52448 |
web_app3: MS.Exchange.Server.OWA.Remote.Code.Execution |
Snort IPS |
1.2039065.2 |
ET EXPLOIT Microsoft Exchange Remote Code Execution Attempt (CVE-2022-41040, CVE-2022-41082) |
Snort IPS |
1.61042.1 |
SERVER-WEBAPP Microsoft Exchange Server remote code execution attempt |
Tipping Point TPS |
41776 |
HTTP: Microsoft Exchange PowerShell Insecure Deserialization Vulnerability (ZDI-22-1624) |
Start simulating emerging threats today and get actionable mitigation insights with a 14-day free trial of Picus Complete Security Validation Platform.
References
[1] P. Bazydło, "Control Your Types or Get Pwned: Remote Code Execution in Exchange PowerShell Backend," Zero Day Initiative, Nov. 16, 2022. [Online]. Available: https://www.thezdi.com/blog/2022/11/14/control-your-types-or-get-pwned-remote-code-execution-in-exchange-powershell-backend. [Accessed: Nov. 18, 2022]