According to the Shadowserver Foundation, a non-profit organization specializing in cybersecurity, approximately 60,000 IP addresses exposing Exchange server instances are still affected by the ProxyNotShell vulnerability, referenced CVE-2022-41082.
ProxyNotShell refers to a pair of Exchange Server-like vulnerabilities, first disclosed in September, that were chained together by malicious actors in a series of targeted attacks. One of the flaws, CVE-2022-41040, is a server-side request forgery flaw, and the other, CVE-2022-41082, is a remote code execution bug. The name ProxyNotShell is a reference to ProxyShell, a series of now-famous flaws disclosed in 2021.
Microsoft did not patch ProxyNotShell until its November Patch Tuesday. Until then, the company has urged customers to mitigate vulnerabilities by applying URL Rewrite instructions for the Autodiscover endpoint at the center of the exploit chain.
Cependant, CrowdStrike a published last month a blog post revealed that a new exploit chain, called “OWASSRF”, bypasses Microsoft’s mitigations. OWASSRF combines the ProxyNotShell CVE-2022-41082 bug with the CVE-2022-41080 elevation of privilege flaw. It was used in several attacks with Play ransomware these last weeks.
CrowdStrike is calling on organizations to apply the November Patch Tuesday patch. OWASSRF is considered particularly dangerous because it affects organizations that have applied mitigations believing the ProxyNotShell fix was unnecessary. Both CrowdStrike and Rapid7 observed an increase in Exchange server compromises for which OWASSRF was the suspected cause.
Shadowserver, a non-profit cybersecurity organization dedicated to data collection and analysis, has to analyse the IP addresses of Microsoft Exchange Server instances that may be vulnerable to CVE-2022-41082. On December 21, the day after CrowdStrike’s research was published, Shadowserver found 83,946 vulnerable IP addresses. As of January 2, that number has fallen to 60,865.
Piotr Kijewski, CEO of Shadowserver, told TechTarget’s editorial staff that the new exploit chain hasn’t reached a level of awareness comparable to other recent Exchange security issues.
“I personally think this issue is a bit less well-known and therefore patching is slower,” he said. “Previous posts on this issue initially focused on mitigation measures, which proved to be insufficient. The latest fixes made by [Microsoft] November 8 did not receive as much attention as they should have.”
Piotr Kijewski adds that due to the way Shadowserver’s Exchange scanner is configured, it’s unlikely that many of the vulnerable Exchange instances spotted are decoys, honeypotsset up by researchers.
“The Exchange scanner is built from three scans and four processing scripts that extract different vulnerabilities and information,” he said. ” The first [scan] is a HEAD request and the other two are GET requests on which we expect to have to follow redirects. So they would have to be real instances configured as honeypots for us to be able to collect information on them, which means that, by definition, we are likely to capture less.