October Vuln of the Month: CVE-2022-41040 and CVE-2022-41082

October’s Vuln of the Month spotlights two high-risk Microsoft Exchange vulnerabilities that have been exploited separately or in concert. For the first time in this series, we’ll feature two related CVEs, and explain why both are worth the attention of security teams. 

CVE-2022-41040 and CVE-2022-41082 are both vulnerabilities affecting Microsoft Exchange Server 2013, Exchange Server 2016, and Exchange Server 2019. According to Microsoft, an authenticated attacker can enable CVE-2022-41040, an elevation of privilege vulnerability, to remotely trigger CVE-2022-41082, though the vulns can also be remotely and individually exploited. 

Our research shows that CVE-2022-41040 and CVE-2022-41082 meet many of the criteria we look for in a vulnerability that could be exploited, including: 

• Access complexity: Low 
• Potential attack surface: Broad 
• Exploitable remotely: Yes 
• Authentication/privilege requirements: Low 
• Potential impact on availability: High 
• Exploit code published: Yes 
• Active exploits observed: Yes 

For organizations running vulnerable versions of Microsoft Exchange, CVE-2022-41040 and CVE-2022-41082 represent high levels of risk. The Kenna Risk Score for CVE-2022-41040 is 94, which represents a greater risk than 99.78% of all the CVEs we’ve scored. For CVE-2022-41082, the Kenna Risk Score is 83—riskier than 99.49% of all scored vulns. CVSS 3 gives both vulns a base score of 8.8 (High). 

Why CVE-2022-41040 and CVE-2022-41082 matter 

These two vulnerabilities present a one-two punch to organizations, though they can be exploited separately. Observed exploits have seen attackers remotely execute arbitrary commands and even achieve hands-on keyboard access. Once in, attackers have been seen stealing data and engaging in Active Directory reconnaissance. The key here is that attackers must be authenticated to successfully exploit either vuln, but as Microsoft itself notes, user credentials aren’t difficult to acquire: “Standard user credentials can be acquired via many different attacks, such as password spray or purchase via the cybercriminal economy.”    

Thanks to their ubiquity and a relatively large number of vulnerabilities, Microsoft platforms are always tempting targets for attackers. According to research the Cyentia Institute conducted last year with Kenna Security, part of Cisco, Windows platforms typically have 119 native and third-party vulnerabilities detected in any given month. That’s almost four times the median number of bugs in the next closest asset category of Macs and 30 times that of network appliances.  

Exchange vulnerabilities have become increasingly popular with threat actors, as they can provide initial access to network environments and are often used to facilitate more effective phishing and malspam campaigns. Cisco Talos discovered the Hafnium threat actor exploiting several zero-day vulnerabilities in Exchange Server in 2021 to deliver ransomware, and Cisco Talos Incident Response reported that the exploitation of Exchange Server issues was one of the four attacks they saw most often last year. 

Bottom line 

For organizations running vulnerable versions of Microsoft Exchange, prompt mitigation should be a priority. Remote code execution vulnerabilities almost always are worth looking at, and even though authentication is required, it’s not that hard to achieve. Exploits have been observed, so this threat is active. 

Mitigation status 

On Sept. 29, the Microsoft Security Response Center published detailed mitigation guidance for affected organizations. It’s all too involved to summarize here, but Microsoft lays it all out for you. 

Talos is closely monitoring the recent reports of exploitation attempts against these vulnerabilities and strongly recommends users implement mitigation steps while waiting for security patches for these vulnerabilities. In the meantime, the existing Snort signatures 27966-27968, 28323, 37245 and 42834-42838 provide additional protection for the malicious activity observed during the exploitation of CVE-2022-41082. 

The following ClamAV signatures have been released to detect malware artifacts related to this threat: 

• Asp.Backdoor.AntSword-9972727-1 
• Asp.Backdoor.Awen-9972728-0 
• Asp.Backdoor.AntSword-9972729-0 

Watch this space for regular Vuln of the Month spotlights, which appear on the second Tuesday of each month. Meanwhile, if you find yourself chasing new and emerging vulns but never quite catching up, learn more about how Kenna Security can help you focus on your highest-risk vulnerabilities, rather than headlines, thanks in part to our vulnerability intelligence powered by machine learning.