Attacker Value
Very High
(1 user assessed)
Exploitability
Moderate
(1 user assessed)
User Interaction
None
Privileges Required
Low
Attack Vector
Adjacent_network
2

CVE-2022-41082

Disclosure Date: October 03, 2022
CVE-2022-41082 CVSS v3 Base Score: 8.0
Exploited in the Wild
Reported by gwillcox-r7 and 3 more...
View Source Details
Add MITRE ATT&CK tactics and techniques that apply to this CVE.
Initial Access
Techniques
Validation
Validated

Description

Microsoft Exchange Server Remote Code Execution Vulnerability

Add Assessment

1
Ratings
  • Attacker Value
    Very High
  • Exploitability
    Medium
Common in enterpriseDifficult to patchGives privileged accessVulnerable in default configurationAuthenticated
Technical Analysis

CVE-2022-41082, also known as ProxyNotShell is an authenticated RCE in Microsoft Exchange. ProxyNotShell actually combines CVE-2022-41082 and CVE-2022-41040 for the whole attack chain. This CVE specifically however is the RCE component. The vulnerability is a deserialization flaw in Microsoft Exchange’s PSRP backend. The PSRP backend can be accessed by an authenticated attacker leveraging the SSRF flaw identified as CVE-2022-41040. The deserialization gadget was documented by ZDI in their blog. While this vulnerability affected Exchange Server 2013 and Exchange Server 2016, the gadget chain only worked with Exchange Server 2019 (version 15.2+). A new gadget chain could potentially be developed to exploit these older versions.

GTSC originally announced on September 28th that they had seen a new (at the time) 0-day attack against their customers using Microsoft Exchange. On November 8th, Microsoft released patches for the two vulnerabilities. Between September 28th and November, no public exploits combined the SSRF with the RCE. Private threat actors however were attempting to exploit the vulnerability which led Microsoft to issue Exchange Emergency Mitigation Service (EEMS) mitigations. These mitigations took the form of IIS rewrite rules which were able to be bypassed using encoding techniques. The last issued EEMS mitigation was able to be successfully bypassed by using IBM037v1 encoding, which can be demonstrated using the Metasploit module.

Successful code execution results in OS commands running as NT AUTHORITY\SYSTEM. The exploit is reliable to exploit and pretty quick (compared to ProxyShell which needed to gather a lot of information).

Log in to Add Reply
CVSS V3 Severity and Metrics
Base Score:
8.0 High
Impact Score:
5.9
Exploitability Score:
2.1
Vector:
CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Attack Vector (AV):
Adjacent_network
Attack Complexity (AC):
Low
Privileges Required (PR):
Low
User Interaction (UI):
None
Scope (S):
Unchanged
Confidentiality (C):
High
Integrity (I):
High
Availability (A):
High

General Information

Offensive Application
Unknown
Utility Class
Unknown
Ports
Unknown
OS
Unknown
Vulnerable Versions
Microsoft Exchange Server 2013 Cumulative Update 23 15.00.1497.044
Microsoft Exchange Server 2016 Cumulative Update 22 15.01.2375.037
Microsoft Exchange Server 2019 Cumulative Update 11 15.02.0986.036
Microsoft Exchange Server 2019 Cumulative Update 12 15.02.1118.020
Microsoft Exchange Server 2016 Cumulative Update 23 15.01.2507.016
Prerequisites
Unknown
Discovered By
Unknown
PoC Author
Unknown
Metasploit Module
Unknown
Reporter
Unknown

Vendors

  • microsoft

Products

  • exchange server 2013,
  • exchange server 2016,
  • exchange server 2019

Additional Info

Authenticated
Unknown
Exploitable
Unknown
Reliability
Unknown
Stability
Unknown
Available Mitigations
Unknown
Shelf Life
Unknown
Userbase/Installbase
Unknown
Patch Effectiveness
Unknown
Technical Analysis