Forum Discussion
Tenable Research Update On ProxyNotShell (CVE-2022-41040,...
Tenable Research Update On ProxyNotShell (CVE-2022-41040, CVE-2022-41082)
Update 10/6: A new plugin has been released. Read below for more details.
As new information and research into the two zero-day vulnerabilities impacting Microsoft Exchange Servers has become available, the Tenable Research Team wants to keep our customers informed of the latest information. Our previous posts can be found here and here.
Dubbed “ProxyNotShell” by security researchers, the pair of CVEs include a server-side request forgery (SSRF) vulnerability (CVE-2022-41040) and a remote code execution (RCE) vulnerability (CVE-2022-41082). The moniker is aptly named as this vulnerability leverages the same vulnerability path used by ProxyShell from early 2021. However, in order to exploit the ProxyNotShell vulnerabilities, authentication is required. Despite this requirement, in-the-wild exploitation of ProxyNotShell has been discovered according to multiple reports, including the original advisory from GTSC Cybersecurity Technology Company Limited, who observed attackers exploiting the flaws in early August.
On September 29, Microsoft published its first blog post, confirming that they were investigating the GTSC report of the then unconfirmed zero-days. The next day, Microsoft published another post with information to aid organizations in their incident response, with information on observed behavior from impacted hosts. In the days following its initial post, Microsoft has added, updated and corrected mitigation advice related to these flaws. Following Microsoft’s updates, researchers have taken to public platforms to call out errors with the mitigation advice that allow for the bypass of the proposed mitigations.
As Tenable Research continues to monitor the situation and explore our coverage and plugin options, we are conscious that releasing a plugin to check for these mitigations could provide a false sense of security and cause our customers unnecessary frustration as the mitigation suggestions have continued to be modified by Microsoft. As the guidance from Microsoft continues to evolve, we continue to monitor for further updates and await the release of patches for these vulnerabilities or further dependable and verified mitigation guidance to incorporate into additional plugins. We have released an initial plugin (Plugin ID 165629) for our customers and continue to research and monitor the evolving situation. Additionally, as soon as patches are released, we will develop and release additional plugins to identify unpatched hosts.
At this time, we recommend customers identify Microsoft Exchange Servers in their environments so they can develop a patching strategy in anticipation of official patches from Microsoft. To aid in this effort, we recommend using Plugin ID 108804 - Microsoft Exchange Server Detection (Uncredentialed) and Plugin ID 77910 - Microsoft Exchange Installed to identify the Exchange Servers in your environment.
Tenable has released a new plugin (Plugin ID 165705) which will report all currently supported versions of Microsoft Exchange with a High severity rating. This will aid our customers in identifying systems with Microsoft Exchange installed that are currently affected by the unpatched zero-day vulnerabilities. This plugin is available as of plugin feed Serial ID 202210060050.
For additional updates related to ProxyNotShell, please visit our Tenable blog post.
12 Replies
- alejandro_hern2Connect Contributor
To detect this vulnerability, a specific scanning policy is needed? (plugin 165629)
- scavezaProduct Team
No specific scan policy is reqiured for this plugin, however the plugin does require credentials for a credentialed scan of the Windows host.
- Anonymous
We don't have any on-prem exchange servers which is why we receive 'No data was found' when filtering for these two CVEs, or plug-in's 165629 or 77910. However, plugin 108804 results in a couple dozen servers identified. How should we interpret or respond to this discrepancy?
Synopsis - The remote host is running an Exchange Server.
Description - One or more Microsoft Exchange servers are listening on the remote host.
Plugin Output
- Path : (blank)
- Version : unknown
- Source : SMTP
- Address lists port ( 25 / TCP )
- scavezaProduct Team
Could you please open up a ticket with our support team. They will be able to guide and gather the necessary information to troubleshoot further.
- Anonymous
Ok, thank you.
- infraengConnect Contributor
Our Exchange severs utilise the Exchange Emergency Mitigation Service, so have already had a fix as per the blog post mentioned here: https://msrc-blog.microsoft.com/2022/09/29/customer-guidance-for-reported-zero-day-vulnerabilities-in-microsoft-exchange-server/
Having run Nessus scans over the weekend, it is reporting that our servers are still vulnerable to CVE-2022-41040, CVE-2022-41082.
Is this correct based on us having the fixes in place as per Microsoft's article?
- scavezaProduct Team
Hi Dean,
I've confirmed with the plugins team that Plugin ID 165705 will flag Exchange servers based on the version information reported. The plugin does not check systems for the presence of Microsoft's suggested mitigations.
- ext_mcaraccioloConnect Contributor
Hi,
We are facing the same issue as Dean Rhoades
We have implemented the following recommended mitigation, but the plugins still find our servers as vulnerable (https://msrc-blog.microsoft.com/2022/09/29/customer-guidance-for-reported-zero-day-vulnerabilities-in-microsoft-exchange-server/).
The plugin only identify the exchange servers or also test vulnerability?
how can i know if this is remediated ?
Thanks!
- scavezaProduct Team
Hi Martin,
I've confirmed with the plugins team that Plugin ID 165705 will flag Exchange servers based on the version information reported. The plugin does not check systems for the presence of Microsoft's suggested mitigations.
I'm also finding the same results that Martin Caracciolo and Dean Rhoades are experiencing. We have performed what Microsoft has informed on what to do, but it's still showing as discovered and vulnerable.
What is the check this plugin is looking at, so I can work through our mitigation and fix any vulnerabilities present.
Thanks!
- scavezaProduct Team
Hi Luke,
I've confirmed with the plugins team that Plugin ID 165705 will flag Exchange servers based on the version information reported. The plugin does not check systems for the presence of Microsoft's suggested mitigations.
Hey Scott,
Thanks for the information.