The latest Exchange zero-day flaws, identified as CVE-2022-41040 and CVE-2022-41082, commonly known as ProxyNotShell, have updated countermeasures from Microsoft.
Researchers demonstrated that the initial suggestions may be readily overridden to allow new attacks that take use of the two flaws, therefore they were inadequate. Sadly, the existing suggestions are still insufficient, and the suggested mitigation still leaves room for ProxyNotShell assaults.
Security researchers discovered that the URL Rewrite rule’s URL to REQUEST_URI” condition still enables hackers to go around the countermeasures.
Pieter Hiele, discovered that the rule is ineffective since character encoding was not taken into consideration while determining the criteria for filtering strings in the URI.
Hiele’s bypass is effective, according to Will Dormann, also explained that REQUEST URI is worthless when characters are encoded.
According to security researcher Kevin Beamont, who gave the two flaws the moniker ProxyNotShell, it just takes one letter to go around Microsoft’s better defense.
Different methods of mitigating
Microsoft stated on Tuesday that it has updated its advisory with the enhanced URL Rewrite rule and advised Exchange Server users to examine it and use it.
The updated URL Rewrite mitigation for Exchange Server 2016 and Exchange Server 2019 is automatically available to clients who have Exchange Emergency Mitigation Service (EEMS) enabled. The URL Rewrite rule enhancement is now included of the EOMTv2 script (version 22.10.03.1829). On computers with internet access, it is updated automatically, and any Exchange Server without EEMS turned on has to execute it once more.
The third choice is to manually remove the earlier rule and implement the enhanced one.
Microsoft advises blocking non-admin users’ access to remote PowerShell. The limitation can be applied to one or more people, and the procedure should not take more than five minutes.
Information security specialist, currently working as risk infrastructure specialist & investigator.
15 years of experience in risk and control process, security audit support, business continuity design and support, workgroup management and information security standards.