Skip to content

New Exploit Method for Bypassing ProxyNotShell Mitigations - 20221223002

Overview

NOTE: This advisory only pertains to users who have not applied Microsoft Exchange update (KB5019758) from November 2022 or later.

A novel method for exploiting the "ProxyNotShell" remote code execution (RCE) vulnerability has been recently disclosed by Crowdstrike.

What is the vulnerability ?

The new exploit method, dubbed Outlook Web Access Server-Side Request Forgery (OWASSRF), likely chains CVE-2022-41080 with CVE-2022-41082 to effectively bypass the URL rewrite mitigation rules provided by Microsoft prior to the November patch Tuesday fixed release for ProxyNotShell.

Instead of leveraging CVE-2022-41040 from the original ProxyNotShell CVE pairing, post requests have been made through the Outlook Web Access (OWA) endpoint, which is believed to leverage CVE-2022-41080.

CVE-2022-41080 - Microsoft Exchange Server Elevation of Privilege Vulnerability

CVE-2022-41082 - Microsoft Exchange Server Remote Code Execution Vulnerability

What is vulnerable ?

The following on-prem versions of Exchange that have not applied the November 8, 2022 KB5019758 update are vulnerable:

  • Microsoft Exchange Server 2013, 2016, 2019

What has been observed ?

There is no evidence of exploitation affecting Western Australian Government networks at the time of publishing.

This CVE-2022-41080 has not been publicly detailed yet and is marked as "exploitation more likely" by Microsoft. CVE-2022-41080 has been referenced in other exploit chains to achieve RCE.

Reporting suggests this method is currently being exploited in the wild to deploy Ransomware.

Recommendation

The Office of Digital Government (DGov) recommends organisations apply the latest Exchange patches to avoid exploitation.

  • Review Crowdstrike’s blog post here ().
  • Apply the latest Microsoft Exchange update.
  • Ensure at minimum your patch is Exchange update (KB5019758) from November 2022 or later.
  • Disable remote PowerShell for non-administrative users where possible. Guidance can be found here: Exchange Server and Exchange Online.
  • Review Crowdstrike’s script to detect exploitation in IIS and Remote PowerShell logs.
  • Ensure X-Forwarded-For header is configured to log true external IP addresses for request to proxied services. Guidance available here.