It seems like your browser didn't download the required fonts. Please revise your security settings and try again.
Barracuda Web Application Firewall

Zero-Day Microsoft Exchange Server: Critical Vulnerability

  • Last updated on

This article provides information on recently discovered zero-day vulnerabilities in the Microsoft Exchange Server versions 2013, 2016, and 2019.

The following table provides key information about the vulnerabilities.

VulnerabilityCommon NamePatternMitigation TechniqueBarracuda AdvisoryNotes
CVE-2022-41040#proxynotshellSSRFManual Configuration30 September 2022First Release
CVE-2022-41082#proxynotshellRCEManual Configuration30 September 2022First Release

Description 

CVE-2022-41040 & CVE-2022-41082

Information about these vulnerabilities was first published on September 29, 2022, and affect Microsoft Exchange Server 2013, 2016, and 2019. An attacker would need to gain access to the vulnerable system as an authenticated user to exploit these vulnerabilities. At first, the SSRF attack is executed to gain access to the PowerShell. Later, the attacker can also execute the RCE attack as described in CVE-2022-41082.

Barracuda WAF/WaaS/ADC is not affected by this vulnerability.

#CVECriticality &  CVSS ScoreExploit TypeSoftware Firmware VersionsBarracuda WAF Affected
CVE-2022-41040

Zero-Day

Critical

SSRFMicrosoft Exchange Server 2013, 2016, and 2019.NO
CVE-2022-41082

Zero-Day

Critical

RCEMicrosoft Exchange Server 2013, 2016, and 2019.NO

Exploit

CVE-2022-41040 is a Server-Side Request Forgery (SSRF) vulnerability and CVE-2022-41082 allows Remote Code Execution (RCE) when the Exchange PowerShell is accessible to the attacker.

Barracuda WAF Manual Mitigation Configuration

  1. Go to WEBSITES > Allow/Deny/Redirect.
  2. In the URL: Allow/Deny/Redirect Rules, click the Select drop-down list next to the service and select Add.
  3. In the Create ACL page:
    1. Enter a name and the URL match.
    2. In Extended Match:
      1. Click the edit icon and set the Element Type as URI, the Operation as regex contains, and the Value as .*autodiscover.*powershell
      2. Click Insert.
      3. Again, in the Value, replace the regex with .*powershell.*autodiscover
      4. Change the Concatenate option to or.
      5. Click Insert and Apply.
    3. Set Action to Deny and Log.
    4. Click Save.

This may result in some false positives depending on how the application names other parameters. Accordingly, the administrator can create the pattern initially in the Passive Mode and review the Web Firewall Logs generated.

After evaluating the CVE, Barracuda Networks will publish the signatures to mitigate the vulnerabilities. Meanwhile, you can contact the Barracuda Networks Technical Support to get the intermediary signature.  The interim signature is crafted based on the available threat research data.

Recommendation

As a best practice, it is recommended that you consider interim mitigations and recommendations from Microsoft to protect your Microsoft Exchange Server.

Vendor Advisory:  https://msrc-blog.microsoft.com/2022/09/29/customer-guidance-for-reported-zero-day-vulnerabilities-in-microsoft-exchange-server/

Related Articles :
Last updated on