Exchange ProxyLogon v2 : CVE-2022-41082

Preface

Security researchers are warning of previously undisclosed flaws in fully patched Microsoft Exchange servers being exploited by malicious actors in real-world attacks to achieve remote code execution on affected systems.

The advisory comes from Vietnamese cybersecurity company GTSC, which discovered the shortcomings as part of its security monitoring and incident response efforts in August 2022.

The two vulnerabilities, which are formally yet to be assigned CVE identifiers, are being tracked by the Zero Day Initiative as ZDI-CAN-18333 (CVSS score: 8.8) and ZDI-CAN-18802 (CVSS score: 6.3).

GTSC said that successful exploitation of the flaws could be abused to gain a foothold in the victim's systems, enabling adversaries to drop web shells and carry out lateral movements across the compromised network.

The workaround

1. Open the IIS Manager
2. Expand the Default Web Site
3. Select Autodiscover
4. In the Feature View, click URL Rewrite
5. In the Actions pane on the right-hand side, click Add Rules
6. Select Request Blocking and click OK
7. Add String ".*autodiscover\.json.*\@.*Powershell.*" (excluding quotes) and click OK
8. Expand the rule and select the rule with the Pattern ".*autodiscover\.json.*\@.*Powershell.*" and click Edit under Conditions
9. Change the condition input from {URL} to {REQUEST_URI}

The issue I found 

This is great but URL rewrite is not installed by default with Exchange, its an add-on to get this addin from here: https://www.iis.net/downloads/microsoft/url-rewrite

Once you have the download called "urlrerwite2.exe" this will run the Microsoft Web Platforms installer for you 

This is the workaround with images

WARNING : This will take IIS offline so ensure you have contingency for this, is you have database copies and DAG you will be fine.

This is what I did as below....run the install...

You will then be shown what will be installed...which is the URL rewrite

Accept the terms to install as shown here:

Then the install will run:

Once complete you will get the all good:

Now start the IIS manager (not the IIS manager 6 that is only SMTP and FTP) - once here expand the server, then sites then default website then Autodiscover - this is where the rule will be added.

Then on the right hand side under features and IIS choose "URL Rewrite" as shown below:

Double click "URL Rewrite" and then from the right hand side choose Add Rule

When you click this choose "Request Blocking" for the new rule:

Then fill it in like this:

Then once you have created the rule it will look like this:

Double click that rule as you need to amend a variable...this is what it looks like:

Then you need to edit the Condition, so select the condition and choose edit

The you need to change condition input from {URL} to {REQUEST_URI} as shown here.....

Once you have done this you have the workaround applied, the once the patch is out - get patching.