Intro
In honor of October Cybersecurity month our Greater Security team would like to give you some insides. Cybersecurity comes in many different forms and today we would like to talk about vulnerabilities. One of many challenges security professionals face is how to keep yourself up to date in all that happens in the world of cybersecurity. New found vulnerabilities are one of those items that you need to stay on top of as a professional.
First let’s start with a definition: “A vulnerability is a weakness in a system that allows a threat source to compromise its security”. (ICS2 – CISSP)
Microsoft Exchange Server – CVE-2022-41040 and CVE-2022-41082
Now we have a definition we can walk you through a recently found vulnerability, a weakness found in the Microsoft Exchange Server. Microsoft recently disclosed CVE-2022-41082 and CVE-2022-41040 related to Zero-day Vulnerabilities in Microsoft Exchange Server. The attack was found by security company GTSC and was first observed in early August when the attackers tried to use web-based backdoors to get easy access to the internet from any browser. Microsoft said it is working on the release of patches to fix the flaws permanently. In the meantime, Microsoft has recommended to mitigate the flaws. Let’s take a look at both these CVE’s, see what they are about and how to mitigate properly.
CVE-2022-41040
This CVE is a 0-day Server-Side Request Forgery vulnerability in Microsoft Exchange Servers. This exploitation can also allow an attacker to trigger CVE-2022-41082 remotely. The flaw has got the CVSS score 8.8 out of 10 (High).
So what is Server-Side Request Forgery?
Server-Side Request Forgery also known as SSRF is a security vulnerability that allows an attacker to induce the server-side application to make requests to an unintended location. The attacker might cause the server to make a connection to an internal service or they may be able to force the server to connect to arbitrary external systems, potentially leaking sensitive data.
CVE-2022-41082
This CVE is a Remote Code Execution(RCE) that can be exploited by an authenticated attacker remotely. It looks like ProxyShell, which was discovered last year. The CVSS score for this vulnerability is an 8.8 out of 10 (High).
So what is Remote Code Execution?
Remote Code Execution (RCE) is basically what it says, it is code being executed remotely. An attacker places malware or other malicious code on a computer or network and there is no user input needed and no physical access is needed. RCE attacks come in many different forms, but it is mostly used to dig deeper into an environment.
Back to the attack, here you see a visual overview of the attack:
Mitigation
As mentioned before Microsoft is currently working on a permanent fix, so at this time there is no patch available. There are some mitigation options and detection rules available so you can mitigate but also monitor and detect malicious activity in your network. Check out the sources in the next chapter for the latest information on the matter or if you want more of a deepdive.
Sources
- https://www.ncsc.nl/actueel/advisory?id=NCSC-2022-0610
- https://www.microsoft.com/security/blog/2022/09/30/analyzing-attacks-using-the-exchange-vulnerabilities-cve-2022-41040-and-cve-2022-41082/
- https://gteltsc.vn/blog/warning-new-attack-campaign-utilized-a-new-0day-rce-vulnerability-on-microsoft-exchange-server-12715.html
- https://owasp.org/www-community/attacks/Server_Side_Request_Forgery
- https://www.crowdstrike.com/cybersecurity-101/remote-code-execution-rce/
- https://infosecwriteups.com/cve-2022-41040-proxynotshell-f0b8fb53ec8b
Other News
Vulnerability found in FortiProxy, FortiProxy en FortiSwitchManager
Fortinet has mitigated a vulnerability in Fortigate FortiProxy, FortiProxy en FortiSwitchManager (CVE-2022-40684). https://www.fortiguard.com/psirt/FG-IR-22-377
Apache Commons Text Remote Code Execution
A vulnerability found in Apache Commons Text (CVE-2022-42889). https://lists.apache.org/thread/n2bd4vdsgkqh2tm14l1wyc3jyol7s1om
Windows CryptoAPI Spoofing Vulnerability
The UK National Cyber Security Center (NCSC) and the National Security Agency (NSA) have found a Windows CryptoAPI spoofing vulnerability. (CVE-2022-34689). https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2022-34689
News tips
So we took a closer look at the latest Microsoft Exchange vulnerability and we gave you some pointers where to look for more information. After that we shortly addressed some other news. This section is nowhere near complete, but it shows that the amount of vulnerabilities found is very high. So how does our Security team stay up to date? Here are in random order 10 of our favorite news- or tool-sites for you to check out!
- https://www.feedly.com
- https://www.bleepingcomputer.com/
- https://www.cybercrimeinfo.nl/
- https://cyware.com/cyber-security-news-articles
- https://nvd.nist.gov/
- https://vulmon.com/
- https://advisories.ncsc.nl/advisories
- https://www.emerce.nl/channel/security
- https://socprime.com/
- https://www.exploit-db.com/
Please join our discussion on our social media pages to talk more about #vulnerabilities, #security #tips and more!
My job at Greater is twofold:
Practicing Security Consultant & Managing Security Consultant. Currently creating a Security Consultant team at Greater. Driven by a strong sense of justice – not a coincidence I’m in Security. Passionate about creating a safer and more secure IT environment for organisations. My broad range of experience in the information security field, with expertise in SOC/SIEM, helps me to learn and grow my knowledge base.
