Microsoft Mitigation for Exchange Server ZeroDay can be bypassed

Researchers warn on the mitigation proposed by Microsoft for the new Exchange Server zero-day vulnerabilities named ProxyNotShell can be easily bypassed.

Researcher Kevin Beaumont named the vulnerabilities ProxyNotShell due to similarities to the Exchange vulnerability dubbed ProxyShell, which has been exploited in the wild. Microsoft’s patches for ProxyShell do not completely remove an attack vector.

Microsoft’s own analysis indicates that a single state-sponsored threat group has chained the Exchange vulnerabilities in attacks aimed at fewer than 10 organizations, but the tech giant expects other malicious actors to start leveraging them in their attacks.

Patches for these vulnerabilities have yet to be released, but Microsoft says it’s working on fixes on an accelerated timeline.

GTSC and Microsoft have proposed a  mitigation  that involves setting a URL rewrite rule that should block attack attempts. However, a researcher known as Jang noted that the rule is not efficient and can be easily bypassed and proposed a very similar rule that should work.

The CERT Coordination Center at Carnegie Mellon University has released its own  advisory  for CVE-2022-41040 and CVE-2022-41082, and provided an explanation regarding the mitigation.

Since exploitation of the vulnerabilities requires authentication, mass exploitation is unlikely at this point, but the flaws can be very valuable in targeted attacks.

Microsoft has told Exchange Online customers that they don’t need to take any action, but Beaumont believes that it may not be the right approach.