Tenable Research Update On ProxyNotShell (CVE-2022-41040, CVE-2022-41082)

Update 10/6: A new plugin has been released. Read below for more details.

As new information and research into the two zero-day vulnerabilities impacting Microsoft Exchange Servers has become available, the Tenable Research Team wants to keep our customers informed of the latest information. Our previous posts can be found here and here.

Dubbed “ProxyNotShell” by security researchers, the pair of CVEs include a server-side request forgery (SSRF) vulnerability (CVE-2022-41040) and a remote code execution (RCE) vulnerability (CVE-2022-41082). The moniker is aptly named as this vulnerability leverages the same vulnerability path used by ProxyShell from early 2021. However, in order to exploit the ProxyNotShell vulnerabilities, authentication is required. Despite this requirement, in-the-wild exploitation of ProxyNotShell has been discovered according to multiple reports, including the original advisory from GTSC Cybersecurity Technology Company Limited, who observed attackers exploiting the flaws in early August.

On September 29, Microsoft published its first blog post, confirming that they were investigating the GTSC report of the then unconfirmed zero-days. The next day, Microsoft published another post with information to aid organizations in their incident response, with information on observed behavior from impacted hosts. In the days following its initial post, Microsoft has added, updated and corrected mitigation advice related to these flaws. Following Microsoft’s updates, researchers have taken to public platforms to call out errors with the mitigation advice that allow for the bypass of the proposed mitigations.

As Tenable Research continues to monitor the situation and explore our coverage and plugin options, we are conscious that releasing a plugin to check for these mitigations could provide a false sense of security and cause our customers unnecessary frustration as the mitigation suggestions have continued to be modified by Microsoft. As the guidance from Microsoft continues to evolve, we continue to monitor for further updates and await the release of patches for these vulnerabilities or further dependable and verified mitigation guidance to incorporate into additional plugins. We have released an initial plugin (Plugin ID 165629) for our customers and continue to research and monitor the evolving situation. Additionally, as soon as patches are released, we will develop and release additional plugins to identify unpatched hosts.

At this time, we recommend customers identify Microsoft Exchange Servers in their environments so they can develop a patching strategy in anticipation of official patches from Microsoft. To aid in this effort, we recommend using Plugin ID 108804 - Microsoft Exchange Server Detection (Uncredentialed) and Plugin ID 77910 - Microsoft Exchange Installed to identify the Exchange Servers in your environment.

Tenable has released a new plugin (Plugin ID 165705) which will report all currently supported versions of Microsoft Exchange with a High severity rating. This will aid our customers in identifying systems with Microsoft Exchange installed that are currently affected by the unpatched zero-day vulnerabilities. This plugin is available as of plugin feed Serial ID 202210060050.

For additional updates related to ProxyNotShell, please visit our Tenable blog post.