______________________________

A. Nature of the Vulnerability

CVE-2022-41040 

• Successful exploitation could allow an authenticated attacker to trigger CVE-2022-41082 remotely in these attacks.

CVE-2022-41082

• Successful exploitation could allow remote code execution (RCE) when PowerShell is accessible to the attacker.

______________________________

B. Affected Version

Microsoft Exchange Server 2013, 2016 and 2019

______________________________

C. Actions to be Taken

CERT-PH recommends the following actions be taken:

• CERT-PH encourages all on-premises Microsoft Exchange users/administrators to review the advisory and apply the mitigation plan while waiting for the official fix to be released.
  • Option 1: For customers who have the Exchange Emergency Mitigation Service (EEMS) enabled, Microsoft released the URL Rewrite mitigation for Exchange Server 2016 and Exchange Server 2019. The mitigation will be enabled automatically. 
  • Option 2: Microsoft developed a tool named Exchange On-premises Mitigation Tool v2 (EOMTv2). This will mitigate current known attacks using CVE-2022-41040 via a URL Rewrite configuration.
    1. Note: The script has to be executed individually for each server.
  • Option 3: Manually configure the URL Rewrite Mitigation by following the steps provided by Microsoft.
• For added security, administrators are urged to disable the remote Powershell to standard users within your organization. You may follow the step by clicking this link.
• For additional information, kindly refer to the official report
  • https://msrc-blog.microsoft.com/2022/09/29/customer-guidance-for-reported-zero-day-vulnerabilities-in-microsoft-exchange-server/
  • https://www.microsoft.com/security/blog/2022/09/30/analyzing-attacks-using-the-exchange-vulnerabilities-cve-2022-41040-and-cve-2022-41082/