New Exploit Bypasses the URL Rewrite Mitigations in Exchange Servers

by Jeyakumar Durai (JD)
Cloud Architect

Exchange administrators are aware of the Zero-day vulnerabilities CVE-2022-41040, Server-Side Request Forgery (SSRF) and CVE-2022-41082, Remote Code Execution (RCE)  that were reported on September 29, 2022. Responding to these vulnerabilities, Microsoft initially released couple of immediate mitigations (URL Rewrite rule and Disable remote PowerShell access for non-admins) to be performed on the Exchange servers. Later, Microsoft released the security update KB5019758 on November 8, 2022, as a permanent fix for the zero-day vulnerabilities and declared the mitigations “URL rewrite rule” and “Disable remote PowerShell access for non-admins” as no longer recommended.

Recently, CrowdStrike – a leading Cybersecurity team has discovered a new exploit method called OWASSRF consisting of CVE-2022-41080 and CVE-2022-41082 to achieve remote code execution (RCE) to the Exchange servers through Outlook Web Access (OWA) which bypasses the URL rewrite mitigations for the Autodiscover endpoint.

What are the recommendations against the new exploit identified?

  • If you haven’t installed the security update KB5019758 yet, install it immediately on all the Exchange servers in the environment.
  • If you have migrated all your active mailboxes to Office365,
    • Update your Exchange server configurations of OWA, ECP and Autodiscover to point to cloud-hosted versions instead of on-premises instances.
    • Restrict access to the Exchange server IIS directories such as OWA, ECP, EWS, PowerShell, Autodiscover etc. from the external.
  • If you are in the process of migrating mailboxes to Office365, restrict access to the applicable Exchange server IIS directories such as OWA, ECP, PowerShell etc from the external.
  • Disable the Remote PowerShell access to the Exchange servers for all users, if possible, including the administrators.

Helient strongly recommends taking the necessary steps to secure the Exchange servers from the active exploit which bypasses the mitigations that are no longer valid. If you would like more information or assistance, please contact our industry-leading experts at service@helient.com.