2023.07 - ProxyNotShell
1. Overview
ProxyNotShell is a Remote Code Execution (RCE) vulnerability in MS Exchange Server that consists of multiple CVEs, and we have summarized the results of our analysis for each CVE.
2. Attack Process
This section analyzes how the three CVEs corresponding to the ProxyNotShell vulnerability are used in conjunction with each other.
1) CVE-2022-41040
This is a vulnerability that bypasses the patch for the vulnerability (CVE-2021-34473) that allows access to the backend of the server without authentication in MS Exchange Server. If arbitrary authentication such as Basic or NTLM is attempted, it is possible to access arbitrary backend services of the server with low-privilege authentication data. An attacker could exploit this to use the server's backend services or, in combination with other vulnerabilities, to execute malware or programs.
2) CVE-2022-41082
When an authenticated user gains access to the backend of an MS Exchange Server, powershell and WSMAN protocols in the backend services allow an attacker to execute PowerShell with system privileges on the server and send serialized data remotely to execute malicious code. However, it is used in conjunction with the CVE-2022-41040 vulnerability because it requires an authentication process to use the server's services.
3) CVE-2022-41080
This vulnerability bypasses the patch for CVE-2022-41040 and is also known as OWASSRF.
By exploiting the fact that the Outlook Web App (OWA) service checks the X-OWA-ExplicitLogonUser header value and replaces it if the same value is present in the URL, arbitrary backend services on the server can be accessed by making a request in the form of URL /owa/+X-OWA-ExplicitLogonUser header value+/[Backend Service API].
[ Attack Diagram of ProxyNotShell & OWASSRF Vulnerabilities ]
3. Response
1) CVE-2022-41040
Respond by updating MS Exchange Server 2013 and 2016 Cumulative Update 24 or later, and 2019 to Cumulative Update 13 or later. If it is difficult to update, we recommend blocking known attack URLs with regular expressions to prevent such attacks.
Our AIWAF product detects attack syntax utilizing this vulnerability with the patterns "MS Exchange Server RCE 5" and "MS Exchange Server RCE 6".
2) CVE-2022-41082
Respond by updating MS Exchange Server 2013 and 2016 Cumulative Update 24 or later, and 2019 to Cumulative Update 13 or later. If updating is not possible, we recommend disabling remote PowerShell access.
Our AIWAF product detects attack syntax utilizing this vulnerability with the "MS Exchange Server RCE 5" and "MS Exchange Server RCE 6" patterns.
3) CVE-2022-41080
Respond by updating MS Exchange Server 2013 and 2016 Cumulative Update 24 or later, and 2019 to Cumulative Update 13 or later. If you are unable to update, we recommend disabling remote PowerShell access.
Our TA team is aware of the vulnerability, has analyzed it, and is currently in the pattern generation and testing phase.
4. Conclusion
The ProxyNotShell vulnerability in MS Exchange Server is a connected vulnerability that has become more popular due to the discovery of exploits by ransomware groups such as Play and Cuba, which have been linked to threatening attacks such as internal information leakage and ransomware attacks, and requires an update to the service.
Our AIWAF product has developed a number of patterns to respond to the ProxyNotShell vulnerability, and we will continue to respond quickly to additional bypass methods and new vulnerabilities.
5. References
https://nvd.nist.gov/vuln/detail/CVE-2022-41040
