www.belgium.be Logo of the federal government

WARNING: Ransomware actors are actively exploiting a new exploit method dubbed OWASSRF, Patch Immediately !

Référence: 
Advisory #2022-50
Version: 
1.0
Logiciels concernés : 
On Premise Microsoft Exchange server with OWA enabled
Type: 
Attack Chain: Escalation of Privileges, Remote Code Execution
CVE/CVSS: 

CVE-2022-41080
CVE-2022-41082

Date: 
21/12/2022

Sources

https://www.crowdstrike.com/blog/owassrf-exploit-analysis-and-recommendations/

Risques

CrowdStrike discovered a new method dubbed OWASSRF that can bypass the recommended mitigations of Microsoft. Threat actors can leverage this new method to gain remote code execution (RCE) through Outlook Web Access (OWA).

These vulnerabilities are actively exploited by ransomware actors, in particular the Play ransomware group.

Microsoft Exchange is a commonly used mail server and calendar server developed by Microsoft. Outlook Web Access (OWA) is the webmail service used by Microsoft Exchange.

Your  organization likely has an on-premises Microsoft Outlook server with OWA functionality.

The Centre for Cyber security Belgium recommends system administrators to patch vulnerable systems as soon as possible and to analyse system and network logs for any suspicious activity.

If your organization has already identified an intrusion or incident, please report it via: https://cert.be/en/report-incident.

Description

On December 20, 2022 Crowdstrike published a novel use of previously disclosed vulnerabilities dubbed ProxyNotShell.  

An authenticated remote attacker can use CVE-2022-41080 for privilege escalation and chain it with CVE-2022-41082 for remote code execution (RCE.)

The above attack chain is dubbed OWASSRF and results in remote code execution (RCE) through an Outlook Web Access (OWA) endpoint.

Threat actors can bypass the mitigations that were released In October by Microsoft for ProxyNotShell https://microsoft.github.io/CSS-Exchange/Security/EOMTv2/.

To prevent ProxyNotShell exploitation on older Microsoft Exchange servers, Microsoft recommended to use a custom rewrite rule for the Autodiscover endpoint. when a decoded URI matches this regex, the request is dropped.

Threat actors are circumventing the Regex rule by bypassing the Autodiscover endpoint and using an OWA Endpoint, in this case the rule is not triggered and the request is executed.

Patch Tuesday November 2022  includes a patch for both vulnerabilities.

for more info: https://support.microsoft.com/en-us/topic/description-of-the-security-update-for-microsoft-exchange-server-2019-2016-and-2013-november-8-2022-kb5019758-2b3b039b-68b9-4f35-9064-6b286f495b1d

TECHNICAL DETAILS

CVE-2022-41080 -Microsoft Exchange Server Elevation of Privilege Vulnerability

The attack complexity for this vulnerability is low and successful exploitation is more likely. It is unclear if CVE-2022-41080 was exploited as a zero-day before it was patched.

This vulnerability is now actively exploited.

CVE-2022-41082 - Microsoft Exchange Server Elevation of Privilege and Microsoft Exchange Server Remote Code Execution Vulnerability

This vulnerability was disclosed at the end of September 2022, and actively exploited.

Actions recommandées

Scope

  • Check if your organization runs an on-premises Microsoft Exchange server with OWA enabled.

Patch

  • Apply the Patch Tuesday November 8, 2022, patches for Exchange to prevent exploitation.
  • The URL rewrite mitigations for ProxyNotShell are not effective against this exploit method.

Microsoft:
https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2022-41080 https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-41082

Mitigate

  • Disable OWA , if you have an unpatched vulnerable Exchange Server

Monitor / Detect

  • Deploy advanced endpoint detection and response (EDR) tools to all endpoints to detect web services spawning PowerShell or command line processes.
  • Ensure the  X-Forwarded-For header is configured to log true external IP addresses for a request to proxied services
  • Crowdstrike has created a script to check IIS and Powershell logs for possible exploitation. https://github.com/CrowdStrike/OWASSRF

Harden

  • Disable remote PowerShell for non-administrative users where possible
  • Disable remote PowerShell for non-administrative users where possible.
  • Consider application-level controls such as web application firewalls.
  • Consider MFA as an extra security control

Références

https://cert.be/en/two-zero-day-vulnerabilities-microsoft-exchange-server-dubbed-proxynotshell-pose-risk-remote-code
https://cert.be/en/warning-microsoft-patch-tuesday-november-2022-patches-62-vulnerabilities-9-critical-6-actively
https://github.com/CrowdStrike/OWASSRF