Exchange On-Premises – Old Exploit Resurfaces

CVE-2022-41082 and 2022-41040 attacks again

On November 8th, 2022, Microsoft released another security patch for Exchange Server 2013, 2016, and 2019.

The zero-day exploits, CVE-2022-41040 and CVE-2022-41082, enable an attacker to perform remote code execution and potentially gain access to the internal company network.

MSTIC (Microsoft Threat Intelligence Center) assesses that the two exploits were initially used to exfiltrate company data and were likely state-sponsored.

Exchange Emergency Mitigation Service

In September 2021, Microsoft released the Exchange Emergency Mitigation Service (EM Service) to combat the continuous flow of zero-day exploits.

This service is an attempt from Microsoft to combat the many zero-day exploits like Hafnium that wreaked complete havoc first half of 2021.

With the service installed, Exchange on-premises will check online every hour for configuration changes to protect from unpatched zero-day exploits. The EM Service can set up URL rewrite rules and disable services or app pools.

The protection offered by the EM Service may, however, turn out to do more damage than good:

Even though Microsoft states that the EM Service is no replacement for Exchange security updates, busy admins may consider the EM Service a legit reason to down-prioritize server patching.

This false sense of protection may prove to be a hazardous strategy.

Mitigation Service Mitigated

In late December 2022, a new exploit surfaced that circumvents the protection provided by the Exchange Emergency Mitigation Service for zero-day exploits CVE-2022-41040 and CVE-2022-41082.

A recent announcement from ShadowServer seems to indicate that many Exchange admins trust the security of the EM Service to such an extent that they refrain from patching their Exchange on-premises servers.

By doing an extensive scan of the x_owa_version header on publicly available IPs, ShadowServer discovered more than 60.000 unique servers still running non-patched versions of Exchange on-premises:

ShadowServer Exchange Version scan
Click to enlarge

EM Service is a Supplement – Not a Solution

Let’s face it: Maintaining Exchange on-premises is hard work. And there are no shortcuts.

Although you may be running the Exchange Emergency Mitigation Service (and you should), you still need to perform timely patching of your Exchange on-premises Server(s). Even if you have migrated all mailboxes to Exchange Online.

The Exchange Security Updates can usually be installed via Windows Update. DMZ server patching can sometimes be challenging, but it’s a worthwhile effort when you consider the work, pain, and embarrassment associated with being hacked.

How to Solve the Exchange On-Premises Issue

Despite the many efforts by Microsoft, there is only one way to gain 100% protection of your Exchange on-premises server: Shut. It. Down.

This solution, of course, demands that you’re fully migrated to Exchange Online in terms of mailboxes and mail flow.

If you’re ready to get rid of Exchange on-premises, there are a few options:

1. Upgrade to Exchange 2019 and use PowerShell for all tasks.

This option is fully supported by Microsoft, i.e., Microsoft is obligated to fix any issue coming from configuration changes made by PowerShell.

Using PowerShell shouldn’t be a problem for seasoned Exchange admins working full-time with the product.

It may turn out to be a problem for the company when the admin leaves with no documentation left behind. Also, complex PowerShell scripting is more difficult to hand over to first-level support.

2. Use AdsiEdit or AD Users & Computers for direct attribute editing

This option is not supported by Microsoft. If you make configuration errors, you’ll be responsible for fixing them.

Admins that are comfortable with the intricacies of AD can take this approach.

Again, it may become a challenge when senior admins leave the company or if you want to involve first-level support in email support.

3. Use a third-party tool to replace Exchange on-premises

This option is not supported by Microsoft. You’ll have to rely on the vendor’s support if problems arise.

One example of a third-party tool to replace Exchange on-premises is Easy365Manager.

Easy365Manager is a lightweight snap-in to AD Users & Computers that consolidates your AD and Exchange Online management.

With Easy365Manager, you can perform all daily Exchange Online mailbox management directly from AD user properties.

This includes complex tasks that are not even available in the Exchange Admin Center, like calendar delegation:

Stressing the Obvious

Protecting your systems from evil-doers is a constant battle, and for companies overstretching their IT workforce, it may become a losing battle.

The last couple of years have seen numerous complex exploits specifically targeting Exchange on-premises.

To companies prospering from intellectual property, it’s especially concerning that many of the nefarious efforts seem state-sponsored.

The best protection from zero-day exploits targeting Exchange on-premises is to shut it down.

But if you still need it, make sure the Exchange Emergency Mitigation Service does not become a pretext for doing nothing.

You still need timely patching of your Exchange on-premises server.