Safety researchers have discovered a brand new exploit that permits attackers to remotely execute code by means of Outlook Internet Entry (OWA), on Microsoft Alternate Server.
Crowdstrike mentioned the brand new exploit methodology makes use of two vulnerabilities, and bypasses the URL or hyperlink rewrite mitigations for the ProxyNotShell bug that Microsoft supplied and which impacts on-premises Alternate servers.
The safety vendor referred to as the exploit methodology OWASSRF, or Outlook Internet Entry Server-Facet Request Forgery.
First, the Autodiscover endpoint, used for informing purchasers about companies provided by the distant Microsoft Alternate server, is accessed utilizing an authenticated request to the frontend, Crowdstrike researchers mentioned.
It’s accessed utilizing a path confusion exploit, CVE-2022-41040, permitting the attacker to succeed in the backend for arbitrary URLs.
Any such vulnerability is named a server-side request forgery (SSRF).
Within the case of ProxyNotShell, the focused backend service is the Distant PowerShell service.
A proof-of-concept hyperlink resulting in leaked code for the brand new exploit was posted to Twitter by Huntresslabs safety researcher Dray Agha.
Agha had discovered the attackers’ toolkit in an open repository and downloaded all of them.
By utilizing a Python script posted by Agha, Crowdstrike was capable of replicate the log file entries in latest assaults.
Crowdstrike discovered the ProxyNotShell mitigation bypass when the safety agency investigated Play ransomware intrusions, with the widespread entry vector being Microsoft Alternate.
Alternate Server is a common target for hackers, with a number of exploits and assaults recorded in latest instances.
A excessive profile attack on Rackspace took out the cloud suppliers hosted Alternate Service, with prospects advised emigrate to Microsoft 365 as mitigation.
Some days later, Rackspace confirmed that the reason for the outage was a ransomware assault by unnamed miscreants, forcing the corporate’s help technicians to enter into time-consuming information restoration processes for patrons.
Rackspace said it employed Crowdstrike to help with the investigation of the ransomware assault.
Crowdstrike mentioned that since URL rewrite mitigations usually are not efficient for ProxyNotShell, Alternate admins ought to apply Microsoft’s November patches to forestall exploitation.
Admins who can’t instantly patch their Alternate servers ought to disable OWA as quickly as potential, and comply with Microsoft’s suggestions to disable distant PowerShell for peculiar customers the place potential.
