Attacker Value
High
(1 user assessed)
Exploitability
Low
(1 user assessed)
User Interaction
None
Privileges Required
Low
Attack Vector
Adjacent_network
1

CVE-2022-21846

Disclosure Date: January 11, 2022
Add MITRE ATT&CK tactics and techniques that apply to this CVE.

Description

Microsoft Exchange Server Remote Code Execution Vulnerability

Add Assessment

1
Ratings
Technical Analysis

Huh so this one is a bit of a doozy. On the one hand we have Microsoft Exchange Server, which, unless you have been living under a rock, has been exploited many times in the past, as evidenced here, here, and here. Basically Microsoft Exchange Server has a giant target on its back and attackers are all too happy to exploit it given any opportunity to do so.

What makes this bug interesting though is that unlike most of the other vulnerabilities which were exploitable remotely, this one not only requires authentication, but also requires local network access of some type. Its also interesting to note that the Scope section of Microsoft’s advisory is marked as Changed, which they take as meaning An exploited vulnerability can affect resources beyond the security scope managed by the security authority of the vulnerable component. In this case, the vulnerable component and the impacted component are different and managed by different security authorities..

This raises a few questions as it seems to suggest that the initial component used to exploit the vulnerability exists in one security context separate from the Exchange Server security context, which when combined with the Adjacent factor, suggests a rather unusual way of exploiting this vulnerability via some local access, presumably though some component with a different security boundary, which then interacts with the Exchange Server.

Exploitation is however listed as easy and the bug does give you high level permissions on the Exchange Server, so I can see this as being useful for internal attacks once an attacker has gotten initial access into a network. As per usual, it is always advisable to assume that your network has been compromised when considering what to patch; I have personally seen that its often the little vulnerabilities that were ignored instead of being patched combined together that can lead to some of the most unexpected and dangerous impacts to companies.

Overall I’d say this is likely lower on your patch list than other RCE bugs, however given the impact and number of previous exploits for this target, I’d still recommend patching this as soon as possible, presumably once all your RCE bugs have been patched.

CVSS V3 Severity and Metrics
Base Score:
9.0 Critical
Impact Score:
6
Exploitability Score:
2.3
Vector:
CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
Attack Vector (AV):
Adjacent_network
Attack Complexity (AC):
Low
Privileges Required (PR):
Low
User Interaction (UI):
None
Scope (S):
Changed
Confidentiality (C):
High
Integrity (I):
High
Availability (A):
High

General Information

Vendors

  • microsoft

Products

  • exchange server 2013,
  • exchange server 2016,
  • exchange server 2019

Additional Info

Technical Analysis