It has become known that the new ProxyNotShell exploit uses recently discovered vulnerabilities in Microsoft Exchange Server.
ProxyNotShell exploits 2 vulnerabilities:
- CVE-2022-41040 (CVSS: 8.8) is an elevation of privilege vulnerability in Microsoft Exchange Server. It allows an attacker to remotely exploit the second bug;
- CVE-2022-41082 (CVSS: 8.8) is a bug in Microsoft Exchange Server that allows an authorized cybercriminal to compromise the underlying Exchange server using PowerShell, which can lead to a complete compromise.
Microsoft has yet to release a fix, but has advised users to add a block rule as a mitigation measure. You can also block incoming traffic to Exchange servers containing critical claims for protection, but only if such a measure does not affect vital operations.
Both vulnerabilities were discovered during an attack on the Vietnamese company GTSC at the end of September. Individually, the vulnerabilities are not particularly dangerous, but exploits that combine them together can potentially lead to catastrophic consequences.
At the same time, a low level of privileges is required to exploit vulnerabilities, which makes it easier for a hacker to work. The exploit provides an attacker with the ability to:
- remotely read emails directly from the organization's server;
- hack a company via remote code execution using CVE-2022-41040;
- inject malware into the Exchange server using CVE-2022-41082.
What's more, a hacker only needs to find one valid email address and password combination on a given Exchange server, which is an easy task because this attack bypasses MFA or FIDO authentication for Outlook Web Access logins.
Comments 0