Exchange 0-day-Exploit 2022
CVE-2022-41040, CVE-2022-41082
Security Bulletin | High |
Microsoft is investigating two reported zero-day vulnerabilities affecting Microsoft Exchange Server 2013, 2016, and 2019. The first vulnerability, identified as CVE-2022-41040, is a Server-Side Request Forgery (SSRF) vulnerability, while the second, identified as CVE-2022-41082, allows remote code execution (RCE) when PowerShell is accessible to the attacker.
What Customers Should Do
To protect your on-prem Exchange you can bind a responder policy on the Citrix ADC contentswitch handling all the Exchange related traffic:
add responder policy rspol_exchange_zeroday_oct_22 "HTTP.REQ.URL.PATH.SET_TEXT_MODE(IGNORECASE).STARTSWITH(\"/autodiscover\") && HTTP.REQ.URL.PATH_AND_QUERY.SET_TEXT_MODE(IGNORECASE).REGEX_MATCH(re/.*autodiscover\\.json.*\\@.*Powershell.*/)" RESETUpdate 05.10.2022 (https://www.heise.de/news/Exchange-0-Day-Microsoft-korrigiert-Workaround-7284241.html):
add responder policy rspol_exchange_zeroday_oct_22 "HTTP.REQ.URL.PATH.SET_TEXT_MODE(IGNORECASE).STARTSWITH(\"/autodiscover\") && HTTP.REQ.URL.PATH_AND_QUERY.SET_TEXT_MODE(IGNORECASE).REGEX_MATCH(re/.*autodiscover\\.json.*.*Powershell.*/)" RESETBind this responder to the Exchange contentswitch.
Customers whose internal traffic flows directly to the Exchange servers should also implement the suggested mitigations described here: https://msrc-blog.microsoft.com/2022/09/29/customer-guidance-for-reported-zero-day-vulnerabilities-in-microsoft-exchange-server/
At the moment Citrix has not released any official WAF signatures.
In case you need help please open a ticket in your AXACOM Support Portal.