gsd-2022-41082
Vulnerability from gsd
Modified
2023-12-13 01:19
Details
Microsoft Exchange Server Remote Code Execution Vulnerability.
Aliases
Aliases
{
"GSD": {
"alias": "CVE-2022-41082",
"id": "GSD-2022-41082"
},
"gsd": {
"affected": [
{
"package": {
"ecosystem": "Microsoft",
"name": "Exchange Server 2019"
},
"ranges": [
{
"events": [
{
"introduced": "Cumulative Update 11"
}
],
"type": "SEMVER"
}
],
"versions": [
"Microsoft Exchange Server 2019 Cumulative Update 11",
"Microsoft Exchange Server 2019 Cumulative Update 12"
]
},
{
"package": {
"ecosystem": "Microsoft",
"name": "Exchange Server 2016"
},
"ranges": [
{
"events": [
{
"introduced": "Cumulative Update 22"
}
],
"type": "SEMVER"
}
],
"versions": [
"Microsoft Exchange Server 2016 Cumulative Update 22",
"Microsoft Exchange Server 2016 Cumulative Update 23"
]
},
{
"package": {
"ecosystem": "Microsoft",
"name": "Exchange Server 2013"
},
"ranges": [
{
"events": [
{
"introduced": "Cumulative Update 23"
}
],
"type": "SEMVER"
}
],
"versions": [
"Microsoft Exchange Server 2013 Cumulative Update 23"
]
}
],
"description": "It was originally reported that an undisclosed flaw in Microsoft Exchange Server version 2019 and possibly earlier allowed for remote code execution. Confirmation was not available at the time of the release of the original GSD identifiers (GSD-2022-1006324 and GSD-2022-1006325) however, since then, Microsoft has confirmed that these two issues can be combined to gain remote code execution (an SSRF and a Remote Code Execution via Powershell). Microsoft has assigned CVE ID\u0027s for these two issues, as such the original GSD Identifiers have been withdrawn, and the corresponding GSD ID\u0027s for the CVE ID\u0027s have been populated with data (the file you are currently reading). \n\n This issue was originally reported and also reportedly confirmed as ZDI-CAN-18333 (CVSS score of 8.8) and ZDI-CAN-18802 (CVSS score of 6.3). \n\n Microsoft now reports the following: \n\n # Summary \n\n Microsoft is investigating two reported zero-day vulnerabilities affecting Microsoft Exchange Server 2013, 2016, and 2019. The first vulnerability, identified as CVE-2022-41040, is a Server-Side Request Forgery (SSRF) vulnerability, while the second, identified as CVE-2022-41082, allows remote code execution (RCE) when PowerShell is accessible to the attacker. \n\n At this time, Microsoft is aware of limited targeted attacks using the two vulnerabilities to get into users\u2019 systems. In these attacks, CVE-2022-41040 can enable an authenticated attacker to remotely trigger CVE-2022-41082. It should be noted that authenticated access to the vulnerable Exchange Server is necessary to successfully exploit either of the two vulnerabilities. \n\n We are working on an accelerated timeline to release a fix. Until then, we\u2019re providing the mitigations and detection guidance below to help customers protect themselves from these attacks. \n\n Microsoft Exchange Online has detections and mitigation in place to protect customers. Microsoft is also monitoring these already deployed detections for malicious activity and will take necessary response actions to protect customers. \n\n We will continue to provide updates here to help keep customers informed. \n\n # Mitigations \n\n Mitigation information is available at https://msrc-blog.microsoft.com/2022/09/29/customer-guidance-for-reported-zero-day-vulnerabilities-in-microsoft-exchange-server/ \n\n # Detections \n\n Detection information is available at https://msrc-blog.microsoft.com/2022/09/29/customer-guidance-for-reported-zero-day-vulnerabilities-in-microsoft-exchange-server/ \n\n # Updates \n\n September 30, 2022 updates: \n\n Microsoft created a script for the URL Rewrite mitigation steps and modified step 6 in the Mitigations section. \n Antimalware Scan Interface (AMSI) guidance, and auditing AV exclusions to optimize detection, and blocking of the Exchange vulnerability exploitation. \n Microsoft Sentinel hunting queries \n",
"id": "GSD-2022-41082",
"metadata": {
"exploitCode": "unknown",
"remediation": "unknown",
"reportConfidence": "confirmed",
"type": "vulnerability"
},
"modified": "2022-09-30T16:52:13.370068648Z",
"osvSchema": {
"aliases": [
"CVE-2022-41082"
],
"details": "Microsoft Exchange Server Remote Code Execution Vulnerability.",
"id": "GSD-2022-41082",
"modified": "2023-12-13T01:19:33.112301Z",
"schema_version": "1.4.0"
},
"references": [
{
"type": "ADVISORY",
"url": "https://www.gteltsc.vn/blog/warning-new-attack-campaign-utilized-a-new-0day-rce-vulnerability-on-microsoft-exchange-server-12715.html"
},
{
"type": "ADVISORY",
"url": "https://twitter.com/GossiTheDog/status/1575580072961982464"
},
{
"type": "ADVISORY",
"url": "https://doublepulsar.com/proxynotshell-the-story-of-the-claimed-zero-day-in-microsoft-exchange-5c63d963a9e9"
},
{
"type": "ADVISORY",
"url": "https://msrc-blog.microsoft.com/2022/09/29/customer-guidance-for-reported-zero-day-vulnerabilities-in-microsoft-exchange-server/"
},
{
"type": "ADVISORY",
"url": "https://twitter.com/blackorbird/status/1575521156966535168"
},
{
"type": "ADVISORY",
"url": "https://www.cisa.gov/uscert/ncas/current-activity/2022/09/30/microsoft-releases-guidance-zero-day-vulnerabilities-microsoft"
},
{
"type": "ADVISORY",
"url": "https://www.rapid7.com/blog/post/2022/09/29/suspected-post-authentication-zero-day-vulnerabilities-in-microsoft-exchange-server/"
},
{
"type": "WEB",
"url": "https://twitter.com/GossiTheDog/status/1575762721353916417"
},
{
"type": "WEB",
"url": "https://github.com/VNCERT-CC/0dayex-checker"
},
{
"type": "WEB",
"url": "https://www.reddit.com/r/netsec/comments/xs5xsz/vncertcc_has_just_developed_a_tool_to_check/"
},
{
"type": "WEB",
"url": "https://krebsonsecurity.com/2022/09/microsoft-two-new-0-day-flaws-in-exchange-server/"
}
],
"related": [
"GSD-2022-41040"
],
"schema_version": "1.3.1",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H",
"type": "CVSS_V3"
}
],
"summary": "Microsoft Exchange Remote Code Execution via PowerShell in 2019 and earlier"
},
"namespaces": {
"cve.org": {
"CVE_data_meta": {
"ASSIGNER": "secure@microsoft.com",
"ID": "CVE-2022-41082",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Microsoft Exchange Server 2013 Cumulative Update 23",
"version": {
"version_data": [
{
"version_affected": "\u003c",
"version_name": "15.00.0",
"version_value": "15.00.1497.044"
}
]
}
},
{
"product_name": "Microsoft Exchange Server 2016 Cumulative Update 22",
"version": {
"version_data": [
{
"version_affected": "\u003c",
"version_name": "15.0.0",
"version_value": "15.01.2375.037"
}
]
}
},
{
"product_name": "Microsoft Exchange Server 2019 Cumulative Update 11",
"version": {
"version_data": [
{
"version_affected": "\u003c",
"version_name": "15.02.0",
"version_value": "15.02.0986.036"
}
]
}
},
{
"product_name": "Microsoft Exchange Server 2019 Cumulative Update 12",
"version": {
"version_data": [
{
"version_affected": "\u003c",
"version_name": "15.02.0",
"version_value": "15.02.1118.020"
}
]
}
},
{
"product_name": "Microsoft Exchange Server 2016 Cumulative Update 23",
"version": {
"version_data": [
{
"version_affected": "\u003c",
"version_name": "15.01.0",
"version_value": "15.01.2507.016"
}
]
}
}
]
},
"vendor_name": "Microsoft"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Microsoft Exchange Server Remote Code Execution Vulnerability"
}
]
},
"impact": {
"cvss": [
{
"baseScore": 8,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C",
"version": "3.1"
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "Remote Code Execution"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-41082",
"refsource": "MISC",
"url": "https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-41082"
},
{
"name": "https://www.kb.cert.org/vuls/id/915563",
"refsource": "MISC",
"url": "https://www.kb.cert.org/vuls/id/915563"
},
{
"name": "http://packetstormsecurity.com/files/170066/Microsoft-Exchange-ProxyNotShell-Remote-Code-Execution.html",
"refsource": "MISC",
"url": "http://packetstormsecurity.com/files/170066/Microsoft-Exchange-ProxyNotShell-Remote-Code-Execution.html"
},
{
"name": "https://www.secpod.com/blog/microsoft-november-2022-patch-tuesday-patches-65-vulnerabilities-including-6-zero-days/",
"refsource": "MISC",
"url": "https://www.secpod.com/blog/microsoft-november-2022-patch-tuesday-patches-65-vulnerabilities-including-6-zero-days/"
}
]
}
},
"nvd.nist.gov": {
"cve": {
"cisaActionDue": "2022-10-21",
"cisaExploitAdd": "2022-09-30",
"cisaRequiredAction": "Apply updates per vendor instructions.",
"cisaVulnerabilityName": "Microsoft Exchange Server Remote Code Execution Vulnerability",
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:microsoft:exchange_server:2013:cumulative_update_23:*:*:*:*:*:*",
"matchCriteriaId": "DA166F2A-D83B-4D50-AD0B-668D813E0585",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:microsoft:exchange_server:2016:cumulative_update_22:*:*:*:*:*:*",
"matchCriteriaId": "449CE85B-E599-44D3-A7C1-5133F6A55E86",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:microsoft:exchange_server:2016:cumulative_update_23:*:*:*:*:*:*",
"matchCriteriaId": "FF76AEDA-E574-40ED-B64F-8FDEF8CAC802",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:microsoft:exchange_server:2019:cumulative_update_11:*:*:*:*:*:*",
"matchCriteriaId": "435343A4-BF10-461A-ABF2-D511A5FBDA75",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:microsoft:exchange_server:2019:cumulative_update_12:*:*:*:*:*:*",
"matchCriteriaId": "B23C8E3E-5243-4DA6-B9AA-F6053084B55E",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Microsoft Exchange Server Remote Code Execution Vulnerability"
},
{
"lang": "es",
"value": "Una Vulnerabilidad de Ejecuci\u00f3n de C\u00f3digo Remota en Microsoft Exchange Server"
}
],
"id": "CVE-2022-41082",
"lastModified": "2023-12-20T20:15:18.737",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "ADJACENT_NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.0,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 2.1,
"impactScore": 5.9,
"source": "secure@microsoft.com",
"type": "Primary"
}
]
},
"published": "2022-10-03T01:15:08.843",
"references": [
{
"source": "secure@microsoft.com",
"tags": [
"Exploit",
"Third Party Advisory",
"VDB Entry"
],
"url": "http://packetstormsecurity.com/files/170066/Microsoft-Exchange-ProxyNotShell-Remote-Code-Execution.html"
},
{
"source": "secure@microsoft.com",
"tags": [
"Patch",
"Vendor Advisory"
],
"url": "https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-41082"
},
{
"source": "secure@microsoft.com",
"tags": [
"Third Party Advisory",
"US Government Resource"
],
"url": "https://www.kb.cert.org/vuls/id/915563"
},
{
"source": "secure@microsoft.com",
"url": "https://www.secpod.com/blog/microsoft-november-2022-patch-tuesday-patches-65-vulnerabilities-including-6-zero-days/"
}
],
"sourceIdentifier": "secure@microsoft.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-502"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
}
}
}
Loading…
Loading…
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
- Confirmed: The vulnerability is confirmed from an analyst perspective.
- Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
- Patched: This vulnerability was successfully patched by the user reporting the sighting.
- Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
- Not confirmed: The user expresses doubt about the veracity of the vulnerability.
- Not patched: This vulnerability was not successfully patched by the user reporting the sighting.