Discovery of Zero-Day ProxyNotShell vulnerabilities puts exchange servers back into high risk, pending Microsoft fix. Stormshield Customer Security Lab provides an update on the threat.

Last update on 10/04/22.

 

The context of ProxyNotShell vulnerabilities

During an incident response analysis, a SOC/CERT team discovered that the information system had been attacked through vulnerabilities on a Microsoft Exchange server. Still unknown by Microsoft and therefore not patched, they are several critical Zero-days vulnerabilities: one SSRF (Server Side Request Forgery) and one RCE (Remote Code Execution) chained together.

More precisely, these vulnerabilities have been referenced to the ZDI (Zero Day Initiative). There is ZDI-CAN-18333 with a score of 8.8 and ZDI-CAN-18802 with a score of 6.3. The CVEs have just been published, as CVE-2022-41040 and CVE-2022-41082, the latter being scored CVSS 3.1 to 9.6.

These vulnerabilities are very close to ProxyShell discovered in 2021 (CVE-2021-34473), so much so that we can wonder if they are really new vulnerabilities. However, as the patched versions of Exchange are vulnerable to these new exploitation techniques, it's indeed new vulnerabilities. Behind the name "ProxyNotShell" are these two vulnerabilities.

 

Technical details of ProxyNotShell vulnerabilities

The RCE vulnerability impacts Windows Exchange servers 2013, 2016 and 2019 on-premise and having Outlook Web Access enabled.

To exploit it, an attacker will cause a custom-prepared "autodiscover" SOAP request to be sent, in a format similar to the ProxyShell vulnerability, of type : POST /autodiscover/autodiscover.json?@toto.com/PowerShell/ [...] HTTP/1.1

This type of request will cause the remote execution of PowerShell code, in order, for example, to drop a Web Shell on the server and take control of it remotely.

As the Exchange process has a high level of privilege, this is a very effective way to take full control of the server.

 

Impacted version by ProxyNotShell vulnerabilities

Les versions de Microsoft Exchange 2013, 2016 et 2019 sont impactées.

 

Protection means by Stormshield

Stormshield Network Security

A IPS signature has been published on SNS, it allows to detect the exploitation of the RCE vulnerability. This signature requires a prior SSL decryption to be functional.

  • http:url:decoded → Exploitation of Microsoft Exchange ProxyNotShell vulnerability (CVE-2022-41040, CVE-2022-41082)

Confidence rating of Stormshield's protection

Confidence rating of no false positives

Stormshield Endpoint Security Evolution

With the SES solution (7.2 and Evolution) installed on the Exchange server, it will be possible to detect possible malicious behaviors following the exploitation of the vulnerability.

We have published a security policy consisting of 2 sets of rules (for SES Evolution 2.3 and above) to detect the presence of the file (Hash) tags listed in this document and to block connections to C2 servers.

This security policy is available in the update server and is called "Stormshield - Windows server policy". It includes the following rule sets:

  • Stormshield - Blocklist ruleset for network communication to known malicious actors
  • Stormshield - Audits for known dangerous behaviour

 

Other recommandations

Microsoft has released a first tool (EOMTv2), which provides administrators with mitigation measures for the CVE-2022-41040 vulnerability. It is important to note that the script must be run individually for each server.

 

IOCs and useful information

The following indicators of compromise have been integrated into our protection solutions (Breach Fighter, SNS & SES).

File names and hash:

pxh4HG1v.ashx
[SHA256] c838e77afe750d713e67ffeb4ec1b82ee9066cbe21f11181fd34429f70831ec1

RedirSuiteServiceProxy.aspx
[SHA256] 65a002fe655dc1751add167cf00adf284c080ab2e97cd386881518d3a31d27f5

RedirSuiteServiceProxy.aspx
[SHA256] b5038f1912e7253c7747d2f0fa5310ee8319288f818392298fd92009926268ca

Xml.ashx
[SHA256] c838e77afe750d713e67ffeb4ec1b82ee9066cbe21f11181fd34429f70831ec1

errorEE.aspx
[SHA256] be07bd9310d7a487ca2f49bcdaafb9513c0c8f99921fdf79a05eaba25b52d257

Dll.dll
[SHA256] 074eb0e75bb2d8f59f1fd571a8c5b76f9c899834893da6f7591b68531f2b5d82
[SHA256] 45c8233236a69a081ee390d4faa253177180b2bd45d8ed08369e07429ffbe0a9
[SHA256] 9ceca98c2b24ee30d64184d9d2470f6f2509ed914dafb87604123057a14c57c0
[SHA256] 29b75f0db3006440651c6342dc3c0672210cfb339141c75e12f6c84d990931c3
[SHA256] c8c907a67955bcdf07dd11d35f2a23498fb5ffe5c6b5d7f36870cf07da47bff2

80000000.dll
[SHA256] 76a2f2644cb372f540e179ca2baa110b71de3370bb560aca65dcddbd7da3701e

IP & URL

125[.]212[.]220[.]48
5[.]180[.]61[.]17
47[.]242[.]39[.]92
61[.]244[.]94[.]85
86[.]48[.]6[.]69
86[.]48[.]12[.]64
94[.]140[.]8[.]48
94[.]140[.]8[.]113
103[.]9[.]76[.]208
103[.]9[.]76[.]211
104[.]244[.]79[.]6
112[.]118[.]48[.]186
122[.]155[.]174[.]188
125[.]212[.]241[.]134
137[.]184[.]67[.]33
185[.]220[.]101[.]182
194[.]150[.]167[.]88
206[.]188[.]196[.]77
212[.]119[.]34[.]11

Share on

[juiz_sps buttons="facebook, twitter, linkedin, mail"]
Our Threat Intelligence team has two key missions: to study cyber threats in order to understand them, and to continuously improve the protection offered by Stormshield products. The goal in each case is to contribute to the cybersecurity community's effort to address cyber threats.
About the author
Pierre-Olivier Kaplan Stormshield Customer Security Lab Researcher

Pierre-Olivier wears many hats in the game world, alternating between game-designer and rogue. Passionate about history and computer security, he specialised in the latter after graduating from EPITA and joined the ranks of Stormshield. IRL, he eats anything with a hummus base, ideal to be in top shape and tackle the latest cyber threats.