Zero-day Vulnerabilities, Explained: Is Microsoft Exchange Safe?

On 29 September, 2022, two zero-day vulnerabilities in Microsoft Exchange Server were publicly announced. These two vulnerabilities could allow an attacker to carry out Remote Code Execution (RCE).

These zero-day vulnerabilities are worrisome news for pretty much everybody.

That’s because Microsoft Exchange is used by governments, public services, the press – as well as businesses and academic institutions. It’s used to run email servers and take care of organisational calendering – and a lot of highly sensitive, potentially world-changing information is stored on Microsoft Exchange servers, around the globe.

Remote Code Execution is one of the worst possible security vulnerabilities, because an RCE attack can result in unlimited access to the target. Attackers can install ransomware or other malware, mine cryptocurrency with your system resources, or steal sensitive data (including credit card numbers, addresses of VIPs, and medical records).

At deeserve, we’re well-versed in Microsoft Exchange server support. We’ve been closely monitoring this situation for our customers and ensuring their safety until Microsoft announced a fix. This was an exceptional incident, and one that is only just resolved:

[BREAKING] Microsoft Releases November 2022 Exchange Server Security Updates

The vulnerabilities have been running for an unknown amount of time, but have actively been exploited. Until now, Microsoft had only issued mitigations for these vulnerabilities – not fixes.

But what is a zero-day vulnerability? Could your data have been affected? And is Microsoft Exchange now safe to use?

What is a zero-day vulnerability?

If you’re wondering what all of this means, we’ll explain it as simply as we can:

A zero-day vulnerability is a security hole in software. It’s called a zero-day vulnerability because it was discovered by attackers before the software vendor, which means the software maker has zero days to fix it – and that the vulnerability was there from day zero.

Hackers and attackers can use this security hole to attack a secure system – causing damage, installing software, erasing data, stealing data, or running any code that they want. But first, they need to figure out a method for doing so.

Once a zero-day vulnerability is known, a zero-day exploit can be developed. An exploit is a method for using the vulnerability to gain access or cause damage to the affected system.

Any attacks that take place on this vulnerability are called zero-day attacks.

Zero-day attacks are highly successful, because there are no patches to fix them yet – and the software maker usually has no idea that the vulnerability exists until it’s too late.

Attackers who discover zero-day vulnerabilities may not act on them immediately. Instead, they could sell them on the dark web, demand a ransom from the software company, or sit on the information until it gives them a significant bartering advantage – like during a company merger or takeover, an IPO, or during political/economic unrest.

But if the exploit allows access to a system, they could carry out an attack and plunder valuable information, to be sold on to other malicious actors.

What happened to Microsoft Exchange Server?

This isn’t the first time in recent memory that Microsoft Exchange has suffered from zero-day vulnerabilities. In March 2021, Microsoft detected multiple zero-day attacks on on-premises versions of Microsoft Exchange Server.

The latest vulnerabilities were publicly announced on September 29, 2022 – but could have been exploited well before this date, before attacks were carried out. But here’s how it all went down:

29 September, 2022

Two zero-day vulnerabilities, identified as CVE-2022-41040 and CVE-2022-41082, are publicly announced.

CVE-2022-41040, is a Server-Side Request Forgery (SSRF) vulnerability, while CVE-2022-41082 allows remote code execution (RCE) when PowerShell is accessible to the attacker.

30 September, 2022

Microsoft confirms that the exploits are being used in attacks:

“Microsoft is also monitoring these already deployed detections for malicious activity and will take necessary response actions to protect customers…”

3 October, 2022

Mitigations begin rolling out, while fake Microsoft Exchange ProxyNotShell exploits go up for sale on GitHub.

4 October, 2022

Microsoft updates its Customer Guidance for Reported Zero-day Vulnerabilities in Microsoft Exchange Server, to counter ProxyNotShell exploits.

5-6 October, 2022

Further improvement was made to the URL Rewrite rule mitigation. An updated version was released for EOMTv2. Mitigation for EEMS rule updated.

7-8 October, 2022

Corrections and updates to mitigation process documentation. The mitigation for EEMS was updated. The mitigation for EOMTv2 was updated.

The mitigations remained in place for a month, while being closely monitored by the Exchange Team (and us here, at deeserve).

8 November, 2022

Microsoft released security updates for CVE-2022-41040 and CVE-2022-41082, urging all customers to act immediately. Mitigations are no longer recommended.

For more information, review the Exchange Team blog.

Could your Microsoft Exchange servers have been impacted?

If you’re a deeserve Microsoft Exchange Server Support customer, we will have been closely monitoring your servers, carrying out all possible mitigations, and reporting any incidents directly to you.

For all other admins who want to check if their Microsoft Exchange servers have already been compromised, you can review the analysis made by Microsoft here:  Analyzing attacks using the Exchange vulnerabilities CVE-2022-41040 and CVE-2022-41082 – Microsoft Security Blog

Is Microsoft Exchange still safe to use?

Now that the fix is in place, Microsoft Exchange is safe.

Still, there’s no telling whether this could happen again. Zero-day vulnerabilities only become known when attackers find them, or if bounty hunters discover them. There is always going to be a risk, with any kind of software, that a zero-day attack will take place.

With Microsoft Exchange server 2013 reaching end-of-life, users of the platform might find it easier (and less risky) to migrate to the Cloud, rather than to carry on with burdensome on-premises servers.

Read more – What Are the Risks of Cloud Migration?

For highly sensitive data and critical operations, Private Cloud offers unrivalled security. In any sector – from financial services, to government and defence offices – Private Cloud solutions represent the most robust, secure, resilient way to store and transfer data.

But for those situations where on-premises servers are a must, deeserve offers 24/7 server support, IT systems audits, and cybersecurity solutions – so, even in the midst of a security vulnerability, you’ll have your own security team dedicated to keeping attackers out of your data.

Protect Your Business, with deeserve.

We’re deeserve – a trusted partner to some of the largest organisations in the world for server support and highly secure Private Cloud solutions. Protect your data and assets, with our expert team on hand, constantly monitoring and providing support.

Call us on 01509 80 85 86 or send your message to hello@deeserve.co.uk to get started.

Posted on: 11th November 2022.