Review recommended: Given Microsoft is a widely used platform, please review the following and address accordingly. With respect to the holidays, please do not defer reviewing these latest threats.
CrowdStrike recently observed a new exploit method, dubbed OWASSRF (Outlook Web Access Server-Side Request Forgery), which consists of a chaining of CVE-2022-41080 and CVE-2022-41082 (both CVE’s combined are also recognized as ProxyNotShell) on affected Microsoft Exchange servers to achieve remote code execution (RCE) through Outlook Web Access. This is actively being exploited by the Play ransomware group.
Why is this important? Exploitation of this vulnerability could allow attackers to execute malicious code.
On-prem versions of Microsoft Exchange that have not applied the November 8, 2022 KB5019758 update are vulnerable:
- Microsoft Exchange Server 2013
- Microsoft Exchange Server 2016
- Microsoft Exchange Server 2019
Are there patches to fix OWASSRF? Yes. There are patches that fix both vulnerabilities. However, some customers chose to apply the Microsoft suggested workaround instead of patching. This exploitation bypasses the workaround.
If you applied the workaround instead of the patches, it is recommended that you immediately apply the November 2022 KB5019758 and investigate for potential system compromise.
- Organizations that run Microsoft Exchange on-premises or in a hybrid model should install the November patches provided by Microsoft to reduce the potential for successful exploitation.
- The URL rewrite mitigations that were originally provided by Microsoft will not protect you against this new exploit chain.
- Fully patched systems are reportedly not vulnerable.
- Exchange Online is reportedly not affected.
Arctic Wolf provides additional recommendations, including:
- Disable On-Premises Web Services for Microsoft 365 Deployments in a Hybrid Configuration
- Restrict Access to External-Facing Exchange Servers
- Disable Remote PowerShell Access for Non-Admins
Is OWASSRF being exploited? Yes. The Play ransomware group was recently observed using this new exploitation method. According to CrowdStrike:
- The discovery was part of recent CrowdStrike Services investigations into several Play ransomware intrusions where the common entry vector was confirmed to be Microsoft Exchange.
- After initial access via this new exploit method, the threat actor leveraged legitimate Plink and AnyDesk executables to maintain access, and performed anti-forensics techniques on the Microsoft Exchange server in an attempt to hide their activity.
Additional analysis and information on OWASSRF (CVE-2022-41080 and CVE-2022-41082)
- https://www.crowdstrike.com/blog/owassrf-exploit-analysis-and-recommendations/
- https://www.rapid7.com/blog/post/2022/12/21/cve-2022-41080-cve-2022-41082-rapid7-observed-exploitation-of-owassrf-in-exchange-for-rce/
- https://arcticwolf.com/resources/blog/new-microsoft-exchange-exploit-chain-via-owassrf-leads-to-rce/
- https://www.helpnetsecurity.com/2022/12/21/cve-2022-41080/
- https://www.darkreading.com/application-security/ransomware-attackers-bypass-microsoft-mitigation-proxynotshell-exploit
- https://cert.europa.eu/static/SecurityAdvisories/2022/CERT-EU-SA2022-068.pdf