Exchange OWASSRF Exploited for Remote Code Execution
According to a post by Rapid7, they have observed Exchange server 2013, 2016 & 2019 being actively exploited for "a chaining of CVE-2022-41080 and CVE-2022-41082 to bypass URL rewrite mitigations that Microsoft provided for ProxyNotShell allowing for remote code execution (RCE) via privilege escalation via Outlook Web Access (OWA)."[1]
They recommend to immediately apply the November 2022 KB5019758 and investigate for potential system compromise.
[1] https://www.rapid7.com/blog/post/2022/12/21/cve-2022-41080-cve-2022-41082-rapid7-observed-exploitation-of-owassrf-in-exchange-for-rce/
[2] https://www.crowdstrike.com/blog/owassrf-exploit-analysis-and-recommendations/
[3] https://support.microsoft.com/en-us/topic/description-of-the-security-update-for-microsoft-exchange-server-2019-2016-and-2013-november-8-2022-kb5019758-2b3b039b-68b9-4f35-9064-6b286f495b1d
-----------
Guy Bruneau IPSS Inc.
My Handler Page
Twitter: GuyBruneau
gbruneau at isc dot sans dot edu
Comments