Attacker Value
Very High
(1 user assessed)
Exploitability
Moderate
(1 user assessed)
User Interaction
None
Privileges Required
Low
Attack Vector
Adjacent_network
2

CVE-2022-41082

Disclosure Date: October 03, 2022
Exploited in the Wild
Add MITRE ATT&CK tactics and techniques that apply to this CVE.
Initial Access
Techniques
Validation
Validated

Description

Microsoft Exchange Server Remote Code Execution Vulnerability

Add Assessment

1
Ratings
Technical Analysis

CVE-2022-41082, also known as ProxyNotShell is an authenticated RCE in Microsoft Exchange. ProxyNotShell actually combines CVE-2022-41082 and CVE-2022-41040 for the whole attack chain. This CVE specifically however is the RCE component. The vulnerability is a deserialization flaw in Microsoft Exchange’s PSRP backend. The PSRP backend can be accessed by an authenticated attacker leveraging the SSRF flaw identified as CVE-2022-41040. The deserialization gadget was documented by ZDI in their blog. While this vulnerability affected Exchange Server 2013 and Exchange Server 2016, the gadget chain only worked with Exchange Server 2019 (version 15.2+). A new gadget chain could potentially be developed to exploit these older versions.

GTSC originally announced on September 28th that they had seen a new (at the time) 0-day attack against their customers using Microsoft Exchange. On November 8th, Microsoft released patches for the two vulnerabilities. Between September 28th and November, no public exploits combined the SSRF with the RCE. Private threat actors however were attempting to exploit the vulnerability which led Microsoft to issue Exchange Emergency Mitigation Service (EEMS) mitigations. These mitigations took the form of IIS rewrite rules which were able to be bypassed using encoding techniques. The last issued EEMS mitigation was able to be successfully bypassed by using IBM037v1 encoding, which can be demonstrated using the Metasploit module.

Successful code execution results in OS commands running as NT AUTHORITY\SYSTEM. The exploit is reliable to exploit and pretty quick (compared to ProxyShell which needed to gather a lot of information).

CVSS V3 Severity and Metrics
Base Score:
8.0 High
Impact Score:
5.9
Exploitability Score:
2.1
Vector:
CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Attack Vector (AV):
Adjacent_network
Attack Complexity (AC):
Low
Privileges Required (PR):
Low
User Interaction (UI):
None
Scope (S):
Unchanged
Confidentiality (C):
High
Integrity (I):
High
Availability (A):
High

General Information

Vendors

  • microsoft

Products

  • exchange server 2013,
  • exchange server 2016,
  • exchange server 2019

Exploited in the Wild

Reported by:
Technical Analysis