Description
A critical vulnerability has been identified in the XML parser component of Microsoft Exchange Server that could lead to elevation of privilege.
Affected Product(s)
- Microsoft Exchange Server 2013 Cumulative Update 23
- Microsoft Exchange Server 2016 Cumulative Update 22
- Microsoft Exchange Server 2016 Cumulative Update 23
- Microsoft Exchange Server 2019 Cumulative Update 11
- Microsoft Exchange Server 2019 Cumulative Update 12
Technical Details
The Microsoft Exchange Server vulnerability, assigned CVE-2022-41080, has a CVSSv3 score of 8.8, which classifies it as high severity. It also carries a CVSSv2 score of 10.0, indicating its critical nature. This elevation of privilege vulnerability stems from improper privilege management (CWE-269).
Microsoft Exchange Server is a widely-used email and calendaring server that operates on Windows Server operating systems. This particular vulnerability impacts multiple versions of the Exchange Server, with significant potential for exploitation. The affected versions include Exchange Server 2013 Cumulative Update 23, Exchange Server 2016 Cumulative Update 22, Exchange Server 2016 Cumulative Update 23, Exchange Server 2019 Cumulative Update 11, and Exchange Server 2019 Cumulative Update 12.
Threat actors can exploit this vulnerability through a combination of security flaws such as OWASSRF (Open Web Application Security Project’s Server-Side Request Forgery) and TabShell, an authenticated SSRF vulnerability. The exploitation chain begins with the OWASSRF vulnerability, which leverages the `OwaEcpProxyRequestHandler.GetClientUrlForProxy` function. This function has a flaw where it can be tricked into removing portions of a URL path, allowing attackers to bypass initial security layers. The `OWASSRF` vulnerability abuses an authenticated SSRF on the `/owa` endpoint. The attacker manipulates the `X-OWA-ExplicitLogonUser` header to create a backend URL that the system believes is authorized. This level of access is achieved by inputting an email address that begins with `owa/`. When the manipulated URL reaches the backend server, it forwards the request, bypassing standard authentication protocols and thus giving attackers unauthorized access.
The second part of the exploit chain involves the TabShell bug. The Exchange Server allows authenticated users to create a restricted PowerShell session with minimal permissions. However, the exploitation proceeds with a secret feature in PowerShell known as `TabExpansion`. By enabling this feature, the attackers can invoke the `Get-Command` cmdlet with arbitrary parameters within a restricted session. This function exploits the `Import-Module` cmdlet to load arbitrary modules, including managed DLLs, thereby bypassing security restrictions and running any desired PowerShell script. For example, using payloads like:
`Invoke-Command -Session $Session -ScriptBlock { TabExpansion -line “;../../../../Windows/Microsoft.NET/assembly/GAC_MSIL/Microsoft.PowerShell.Commands.Utility/v4.0_3.0.0.0__31bf3856ad364e35/Microsoft.PowerShell.Commands.Utility.dll\\Invoke-Expression” -lastWord “-test” }`,
attackers can load Microsoft-related DLLs and execute cmdlets such as `Invoke-Expression`. This leads to the full compromise of system privileges, allowing the execution of arbitrary commands.
The interconnected vulnerabilities, OWASSRF and TabShell, pose a severe threat as they can lead to a complete system compromise. If exploited, attackers can gain unauthorized access to the backend server through SSRF, and subsequently leverage PowerShell remoting features to escape restricted environments, thus elevating their privileges.
The best practices for securing vulnerable Exchange Server instances include applying the necessary security updates promptly, monitoring for unusual activities, and restricting the use of PowerShell remoting features to trusted sources. It’s worth noting that Microsoft has released patches for these vulnerabilities, and administrators are urged to update their systems accordingly.
References and further technical details can be found in the following articles and advisories:
Weakness
The main weakness associated with this vulnerability is improper privilege management (CWE-269). This involves the failure of the application to correctly enforce security boundaries and restrict privileged operations. The incorrect handling of access permissions allows attackers to escalate their privileges, paving the way for unauthorized actions on the targeted server.
Impact Assessment
If exploited, this vulnerability could allow an attacker to gain unauthorized access to sensitive data or execute arbitrary code on the affected system. The ability to escalate privileges can lead to a complete system takeover, allowing attackers to manipulate system configurations, exfiltrate confidential information, and deploy further attacks within the network.
Active Exploitation
We have observed activity from the adversary group Wizard Spider, which is known for targeting similar vulnerabilities in the past. The group has been linked to multiple high-profile cyber attacks and exhibits sophisticated tactics in exploiting vulnerabilities for financial gain or strategic objectives.
Threat Actors: Wizard Spider
Ransomware Association
The vulnerability has been linked to ransomware attacks, specifically the Cuba and Play ransomware, which exploit this vulnerability to gain initial access to the system. By leveraging elevation of privilege, these ransomware variants can deploy their payloads across the compromised network, encrypting data and demanding ransom payments.
Mitigation and Resolution
We have released a patch that addresses this vulnerability. Please update to version X.Y.Z immediately. The patch can be obtained through Microsoft’s official update channels. It is essential to apply these updates as soon as possible to safeguard your systems against potential exploitation.
Recommendations
- We strongly recommend that all customers apply the latest patch as soon as possible.
- Check the patch and update versions to ensure that cumulative updates CU23 for Microsoft Exchange Server 2013 and CU22 for Microsoft Exchange Server 2016 have been applied.
- Monitor for any unusual or suspicious activities in server logs.
- Restrict the use of PowerShell remoting features to authorized personnel only.
- Implement network segmentation and access controls to limit the exposure of critical infrastructure.
- Regularly review and audit privileged accounts to prevent unauthorized access.
- Educate your IT staff and end-users about the dangers of phishing and social engineering attacks.
- Set up intrusion detection systems to identify and respond to potential threats promptly.
References
- MSRC Vulnerability Guide
- MITRE CVE Repository
- NVD Detail
- CrowdStrike Exploit Analysis and Recommendations
- GitHub PowerShell
- SeeBug Research
- iHonker Research
- Blog: Researchers Suspect Neglected Exchange Server Zero-Day Likely