Microsoft has shared mitigations for two new tracked Microsoft Exchange zero-day vulnerabilities as CVE-2022-41040 and CVE-2022-41082, but researchers warn that the mitigation for on-premises servers is far from sufficient.

Threat actors are already chaining these two zero day bugs in active attacks to breach Microsoft Exchange servers and achieve remote code execution.

Both security flaws were privately reported through the Zero Day Initiative program about three weeks ago by Vietnamese cybersecurity firm GTSC, which shared the details publicly last week.

Mitigation too specific

Microsoft confirmed both issues on Friday and said it was “aware of limited targeted attacks” exploiting them.

As part of an advisory, Microsoft shared attenuations for on-premises servers and a strong recommendation for Exchange Server customers to “disable remote PowerShell access for non-administrator users” in the organization.

To reduce the risk of exploitation, Microsoft has offered to block known attack patterns via a rule in IIS Manager:

1. Open the IIS manager.
2. Select Default website.
3. In the **features view**, click on URL Rewrite.
4. In the Shares right pane, click Add rules….
5. Select **Request Block** and click OKAY.
6. Add the string “.autodiscover.json.*@.*Powershell.” (excluding quotes) then click OKAY.
7. Expand the ruler and select the ruler with the template “autodiscover.json.*@.*Powershell.” and click Modify under conditions.
8. Change the Condition input from URL to REQUEST_URI

Admins can achieve the same result by running Microsoft’s update Exchange on-premises mitigation tool – a script that requires PowerShell 3 or later, must run with administrator privileges, and runs on IIS 7.5 or later.

Microsoft’s proposed rule only covers known attacks, however, so the URL pattern is limited to them.

security researcher jang in a tweet today shows that Microsoft’s workaround to prevent CVE-2022-41040 and CVE-2022-41082 from being exploited is not effective and can be circumvented with little effort.

Will Dormann, Vulnerability Analyst at CERT/CC, accepted with discovery and says that the ‘@’ in Microsoft’s URL block “seems unnecessarily precise, and therefore insufficient”.

Jang’s discovery was tested by GTSC researchers, who confirmed in a video today that Microsoft’s mitigation does not provide sufficient protection.

Instead of the URL block proposed by Microsoft, Jang offered a less specific alternative, designed to cover a broader set of attacks:

.*autodiscover\.json.*Powershell.*

A patch is yet to come

At the time of publication, Microsoft has not released an update to address the two issues, but has released security advisories containing information on the impact and requirements for operation.

Microsoft describes CVE-2022-41040 as a high-risk vulnerability (severity score of 8.8/10) that an attacker can easily exploit to escalate their privileges on the affected machine without any user interaction.

The reason why this security issue does not have a higher severity score is that the threat actor needs to be authenticated.

CVE-2022-41082 has the same high severity score, but it can be used for remote code execution on vulnerable on-premises Microsoft Exchange servers by an attacker with “privileges that provide basic user capabilities” (settings and files belonging to the user).