Microsoft updated the mitigations for the latest Exchange vulnerabilities tracked as CVE-2022-41040 and CVE-2022-41082 (also referred to ProxyNotShell), which include downloading Exchange installer files from Microsoft.
Initial recommendations were insufficient concerning two vulnerabilities in the browser, which can be easily bypassed. Researchers have shown other ways of exploiting these vulnerabilities and even more security flaws.
The proposed mitigation could still allow for ProxyNotShell attacks.
Android malware apps in Google Play were downloaded over 20 million times.
By doing tiny rewriting on URLs, we’ve improved our URL rewrite rule.
A man-in-the-middle (MITM) attack is a type of security vulnerability. When your computer or server is being attacked, it might appear to you like someone else is on the network. There are many types of MITM attacks that can be triggered, but Microsoft has just discovered one regarding on-premise Exchange servers.
The high severity of both security issues comes from the need for authentication in order to exploit them.
An individual was detected by security company Fortinet as exploiting the bug chain in August to install China Chopper webshells and engage in Active Directory reconnaissance and exfiltration of data.
Microsoft on October 3 released mitigations to prevent these known attacks. Because the proposed URL blocking rule was too specific, adversaries could still exploit the Exchange vulnerabilities in new ways.
Security researchers have been calling for a less restrictive temporary solution to this issue. For now, though, you should still not use the affected versions of Microsoft Office until patches become available.
Microsoft has adopted the improved recommendation, making it easier for you to find vulnerabilities. We’ve highlighted the main difference between the initial recommendation (red) and the new one (green).
Microsoft issued an update to patch ProxyNotShell zero-day bugs.
In order to mitigate exploits on the ProxyNotShell vulnerability in 33 trillion WordPress installs, we need to change how URLs are generated. We’re working to make this improvement as seamlessly as possible for our users.
BleepingComputer is an IT security website.
However, the ‘{URL} to {REQUEST_URI}’ condition in the URL Rewrite rule still allows attackers to bypass the mitigation.
Freelance hacker Pieter Hiele noticed that one of the existing filters in the URI had an error, and it was inefficient- filtering only when encoding is right was breaking as soon as there’s another character encoding.
Bypass Microsoft’s mitigation for ProxyNotShell
The Creators Project is a new home for those who look to innovate, reinvent and create. It’s the world’s preeminent showcase for cross-disciplinary arts, film, design and mind-bending future technologies.
A word of caution: rewriters usually take content from one place and rewrite it with different words in a different context or place. For example: “I need to buy this keyboard.” “Please purchase this keyboard on our store.”
Dr. Ezra Hiele, an e-threat analyst at CERT/CC, confirmed that the bypass found by Will Dormann of the University of Melbourne works. The bypass explains that request_uri is useless because it separates characters with entities such as – and ‘.
The better variant for this example is http://.autodiscover.jsonPowershell.
Security researcher Kevin Beamont notes that even with Microsoft’s mitigation for the vulnerability, it is enough to encode just one letter in the filtering pattern to bypass it.
ProxyNotShell is a feature Microsoft included to protect PCs from malicious websites. However, it’s still flawed and not reliable enough to properly protect systems.
The most important part of any project is figuring out what the customers want. This isn’t as easy as it sounds, so we encourage you to consider what they’ll need–and don’t leave any details out.
Microsoft updated how it mitigates Injection Attacks to consider URL-encoded scenarios, and switched from the {URLDecode:{REQUEST_URI}} condition to {URLEncode:{REQUEST_URI}}.
ProxyNotShell is an attack attempt that most popular email clients automatically block without even knowing they’re related to cybercriminals. Beaumont monitors and analyzes the content of ProxyNotShell attacks and noticed that threat actors used both the un-mitigated variants from Microsoft as well as their mitigated variants for a crafty attack.
#
To verify the validity of this find, research company GreyNoise cross-checked 24 IP addresses from 12 different countries with their network scan data. They discovered that six of those scans, or 22 percent of them, were part of a malicious program.
GreyNoise scans malicious IP addresses for ProxyNotShell vulnerability, but none of the 22 vulnerable hosts were found.
Kevin Beaumont
There are three mitigation options
Microsoft announced on Tuesday that it updated its security advisories to include a new URL Rewrite rule, recommending Exchange Server customers review it and adopt one of the three mitigation options provided.
Customers with Exchange Emergency Mitigation Service (EEMS) in effect benefit from the updated URL rewrite mitigation for Exchange Server 2016 and Exchange Server 2019.
The latest EOMTv2 script includes and update to allow for various URL rewriting rules. It should be checked as part of any Exchange Server that can’t access the internet and is running on a computer with no access to EEMS.
The third option is to manually delete the previously created rule, and then create an improved one with the additional data needed.
The best option for you will depend on your boss process and whether or not that process can accommodate automating features like this one.
Open IIS Manager
Click the “Default Web Site” link.
Select the Feature View and click “Rewrite URLs”
In the Actions pane, click Add Rule(s)…
Select “Yes, I have disabled implicit tracking” and click ‘OK’
Add the string “.autodiscover.json.Powershell.*” (excluding quotes), and you should be able to execute whatever Powershell command you want.
Select the using option under Use a Regular Expressin.
To block someone, select the Abort Request option under How to block. Then click OK on the chat window.
Expand the rule and select the rule with the pattern: .*autodiscover.json. *PowerShell.* Click Edit under Conditions.
Change the Condition input from {URL} to {UrlDecode:{REQUEST_URI}}
Microsoft recommends disabling remote PowerShell access for non-admin users. The less-than-five minute operation can be enforced for only one or multiple users.
Customers on Office 365 who have Admin-level access are protected from these attack vectors. However, customers with on-premise Exchange servers (hybrids) can only be protected through mitigations Microsoft provides and they must deploy the security updates themselves.
The truth is that organizations that expose Exchange server over the public web face a higher risk of attacks, including government agencies and financial organizations. In some cases, these high-value targets are attacked by nation-state groups and cybercriminals.
Update [October 6, 21:25 EST]: This update includes changes to how this article is presented and information that emerged after initially publishing.
Microsoft updated the protections for URL-encoded proxy names months later. We amended the article to reflect this change.
