Microsoft has offered a workaround for the zero-day vulnerability in Exchange that became known over the weekend. However, this does not sufficiently seal the leak.

IT security researchers warn that the workaround recommended for the zero-day vulnerability in Microsoft’s Exchange server, which became known over the weekend and is already being actively attacked, does not sufficiently close the vulnerabilities. Despite its implementation, attackers could still compromise servers. With a small adjustment, however, it should correctly protect against attacks.

- Advertisement -

The zero-day vulnerability, for which Microsoft has not yet released any updates to fix it, became known on Friday and should have given many administrators some overtime. The attacks concerted the interaction of two vulnerabilities: One, through which attackers could escalate their privileges (CVE-2022-41040, CVSS 8.8risk “high“) and one that allows executing arbitrary code remotely (CVE-2022-41082, CVSS 8.8, high).

Vulnerability Name: ProxyNotShell

The well-known IT security expert Kevin Beaumont gave the vulnerability the name ProxyNotShell because it shows similarities with the ProxyShell vulnerabilities from last year. However, the patches against ProxyShell do not help against the errors that have now been discovered.

As a workaround, Microsoft had presented administrators with the request block rule under Auto-Discover in the settings .*autodiscover\.json.*\@.*Powershell. * should insert. The manufacturer also provided a script for this that makes these changes for the IT manager.

Ineffective workaround

- Advertisement -

Kevin Beaumont researched the workaround and concluded that it didn’t work.

IT researcher Will Dormann takes the same line, explaining that the “@” usually makes it too precise and it works better if it’s entered like this:

- Advertisement -

.*autodiscover\.json.*Powershell.*

There is currently no confirmation of the better effectiveness of the adapted rule by other IT security experts.

Scammers sell fake exploits

Meanwhile, scammers are trying to sell supposed exploits for these vulnerabilities on GitHub. As a scam, they create projects that promise an exploit for the vulnerability. However, the text in the readme.md file then only leads to SatoshiDisk – apparently a cloud storage facility that only releases uploaded content after paying an amount in cryptocurrency.

Since bug bounty platforms usually pay significantly larger sums for such exploits than the required Bitcoin amounts, it is obvious that only scammers are hiding behind them. GitHub has since locked the projects.

Even with the name of Kevin Beaumont, some scammers tried to find such potential victims and get their money.

Updated Microsoft Advice

Microsoft has confirmed the gaps and offers information and hints in a blog post. In addition to the above, apparently insufficient rewrite rule, there is now a note that administrators should deactivate access to PowerShell from the network for non-administrative users of the organization. The manufacturer has linked instructions for this.