Full Report
A new exploit method targeting CVE-2022-41080 and CVE-2022-41082 vulnerabilities in Exchange servers, which can bypass previous workarounds, has been discovered and exploited in the wild. Organizations should patch urgently.
Analysis Summary
# Vulnerability: OWASSRF Exploit Bypassing ProxyNotShell Mitigations Leading to Exchange RCE
## CVE Details
- CVE ID: CVE-2022-41080, CVE-2022-41082 (Combined exploitation)
- CVSS Score: Not explicitly provided for the combined OWASSRF exploit, but CVE-2022-41080 is described as critical. (Severity: Critical based on implied RCE/Privilege Escalation)
- CWE: Not explicitly stated.
## Affected Systems
- Products: Microsoft Exchange Server
- Versions:
- Microsoft Exchange Server 2013 (before KB5019758)
- Microsoft Exchange Server 2016 (before KB5019758)
- Microsoft Exchange Server 2019 (before KB5019758)
- Configurations: Systems running Outlook Web Access (OWA) that were potentially protected by URL rewrite mitigations against ProxyNotShell.
## Vulnerability Description
The OWASSRF exploit is a chain leveraging two previously disclosed Microsoft Exchange vulnerabilities: CVE-2022-41080 (Remote Privilege Escalation) and CVE-2022-41082 (Remote Code Execution). This new method was observed being actively used in the wild (by the Play ransomware group) to bypass URL rewrite mitigations that were deployed to block the original ProxyNotShell exploit (which targeted CVE-2022-41040 and CVE-2022-41082). The exploit enables Remote Code Execution (RCE) through Outlook Web Access (OWA).
## Exploitation
- Status: Exploited in the wild (by the Play ransomware group)
- Complexity: Likely Medium (combines two flaws; successful exploitation observed confirms feasibility)
- Attack Vector: Network (via OWA)
## Impact
- Confidentiality: High (Inferred, as RCE and ransomware deployment often lead to data exfiltration)
- Integrity: High (Ransomware deployment directly impacts system integrity)
- Availability: High (Ransomware deployment causes system downtime)
## Remediation
### Patches
- Apply Microsoft Exchange Server cumulative updates including **KB5019758** or later updates for Exchange Server 2013, 2016, and 2019.
### Workarounds
1. Disable Outlook Web Access (OWA) if immediate patching is not possible.
2. Disable remote PowerShell access for non-administrative users where possible.
3. Restrict external access to Internet-facing Exchange Servers.
## Detection
- **IOCs (Observed in the wild by Play ransomware group):**
- **IP Addresses:** `45[.]76[.]141[.]84`, `45[.]76[.]143[.]143`, `179[.]60[.]149[.]28`
- **TTPs/Tools to search for:**
- PowerShell processes spawned directly by IIS (`w3wp.exe`) (Execution).
- Usage of `BITSadmin` (Persistence).
- Usage of `Mimikatz` (Credential Access).
- Usage of `AdFind` (Information Gathering).
- Usage of `Connectwise Screen Connect` (Remote Access/Execution).
- **Detection Methods:** Implement monitoring rules to alert on the IOCs listed above, especially suspicious process lineage where PowerShell is initiated by the web server processes, and monitor for the execution of known post-exploitation tools.
## References
- Vendor advisories:
- hxxps://msrc-blog.microsoft.com/2022/09/29/customer-guidance-for-reported-zero-day-vulnerabilities-in-microsoft-exchange-server/
- hxxps://www.microsoft.com/security/blog/2022/09/30/analyzing-attacks-using-the-exchange-vulnerabilities-cve-2022-41040-and-cve-2022-41082/
- Relevant links:
- hxxps://www.rapid7.com/blog/post/2022/12/21/cve-2022-41080-cve-2022-41082-rapid7-observed-exploitation-of-owassrf-in-exchange-for-rce
- hxxps://www.crowdstrike.com/blog/owassrf-exploit-analysis-and-recommendations/
- hxxps://trendmicro.com/en-us/research/22/i/play-ransomware-s-attack-playbook-unmasks-it-as-another-hive-aff.html