Multiple vulnerabilities in Microsoft Exchange Server
| Risk | High |
| Patch available | YES |
| Number of vulnerabilities | 4 |
| CVE-ID | CVE-2022-41080 CVE-2022-41079 CVE-2022-41123 CVE-2022-41078 |
| CWE-ID | CWE-264 CWE-451 |
| Exploitation vector | Network |
| Public exploit | Vulnerability #1 is being exploited in the wild. |
| Vulnerable software |
Microsoft Exchange Server Server applications / Mail servers |
| Vendor | Microsoft |
Security Bulletin
This security bulletin contains information about 4 vulnerabilities.
1) Permissions, Privileges, and Access Controls
EUVDB-ID: #VU69097
Risk: High
CVSSv4.0: 8.7 [CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:A/U:Amber]
CVE-ID: CVE-2022-41080
CWE-ID:
CWE-264 - Permissions, Privileges, and Access Controls
Exploit availability: No
DescriptionThe vulnerability allows a remote user to escalate privileges.
The vulnerability exists due to application does not properly impose security restrictions. A remote authenticated user can escalate privileges within the Exchange server.
Note, this vulnerability is suspected to be used in a new exploit method bypasses URL rewrite mitigations for the Autodiscover endpoint provided by Microsoft in response to ProxyNotShell.
Install updates from vendor's website.
Vulnerable software versionsMicrosoft Exchange Server: 2013 Cumulative Update 1 15.00.0712.024 - 2019 RTM 15.02.0221.012
CPE2.3- cpe:2.3:a:microsoft:microsoft_exchange_server:2013_CU23_Oct22SU:15.00.1497.042:*:*:*:*:*:*
- cpe:2.3:a:microsoft:microsoft_exchange_server:2016_CU23_Oct22SU:15.01.2507.013:*:*:*:*:*:*
- cpe:2.3:a:microsoft:microsoft_exchange_server:2019_RTM:15.02.0221.012:*:*:*:*:*:*
https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-41080
https://www.crowdstrike.com/blog/owassrf-exploit-analysis-and-recommendations/
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote authenticated user via the Internet.
How the attacker can exploit this vulnerability?
The attacker would have to send a specially crafted request to the affected application in order to exploit this vulnerability.
Is there known malware, which exploits this vulnerability?
Yes. This vulnerability is being exploited in the wild.
2) Spoofing attack
EUVDB-ID: #VU69096
Risk: Medium
CVSSv4.0: 6 [CVSS:4.0/AV:A/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/U:Green]
CVE-ID: CVE-2022-41079
CWE-ID:
CWE-451 - User Interface (UI) Misrepresentation of Critical Information (Clickjacking, spoofing)
Exploit availability: No
DescriptionThe vulnerability allows a remote user to perform spoofing attack.
The vulnerability exists due to incorrect processing of user-supplied data within the SerializationTypeConverter class. A remote user can perform spoofing attack. MitigationInstall updates from vendor's website.
Vulnerable software versionsMicrosoft Exchange Server: 2013 Cumulative Update 1 15.00.0712.024 - 2019 RTM 15.02.0221.012
CPE2.3- cpe:2.3:a:microsoft:microsoft_exchange_server:2013_CU23_Oct22SU:15.00.1497.042:*:*:*:*:*:*
- cpe:2.3:a:microsoft:microsoft_exchange_server:2016_CU23_Oct22SU:15.01.2507.013:*:*:*:*:*:*
- cpe:2.3:a:microsoft:microsoft_exchange_server:2019_RTM:15.02.0221.012:*:*:*:*:*:*
https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-41079
https://www.zerodayinitiative.com/advisories/ZDI-22-1604/
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote authenticated user via the local network (LAN).
How the attacker can exploit this vulnerability?
The attacker would have to send a specially crafted request to the affected application in order to exploit this vulnerability.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
3) Permissions, Privileges, and Access Controls
EUVDB-ID: #VU69095
Risk: Low
CVSSv4.0: 5.9 [CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear]
CVE-ID: CVE-2022-41123
CWE-ID:
CWE-264 - Permissions, Privileges, and Access Controls
Exploit availability: No
DescriptionThe vulnerability allows a local user to escalate privileges on the system.
The vulnerability exists due to improperly imposed security restrictions. A local user can bypass implemented security restrictions and escalate privileges on the system.
MitigationInstall updates from vendor's website.
Vulnerable software versionsMicrosoft Exchange Server: 2016 Cumulative Update 1 15.01.0396.030 - 2019 RTM 15.02.0221.012
CPE2.3- cpe:2.3:a:microsoft:microsoft_exchange_server:2016_CU23_Oct22SU:15.01.2507.013:*:*:*:*:*:*
- cpe:2.3:a:microsoft:microsoft_exchange_server:2019_RTM:15.02.0221.012:*:*:*:*:*:*
https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-41123
https://www.zerodayinitiative.com/advisories/ZDI-22-1603/
https://www.zerodayinitiative.com/advisories/ZDI-22-1602/
Q & A
Can this vulnerability be exploited remotely?
No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.
How the attacker can exploit this vulnerability?
The attacker would have to send a specially crafted request to the affected application in order to exploit this vulnerability.
The attacker would have to login to the system and perform certain actions in order to exploit this vulnerability.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
4) Spoofing attack
EUVDB-ID: #VU69093
Risk: Medium
CVSSv4.0: 6 [CVSS:4.0/AV:A/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/U:Green]
CVE-ID: CVE-2022-41078
CWE-ID:
CWE-451 - User Interface (UI) Misrepresentation of Critical Information (Clickjacking, spoofing)
Exploit availability: No
DescriptionThe vulnerability allows a remote user to perform spoofing attack.
The vulnerability exists due to incorrect processing of user-supplied data within the ApprovedApplication class. A remote user can perform spoofing attack.
Install updates from vendor's website.
Vulnerable software versionsMicrosoft Exchange Server: 2013 Cumulative Update 23 15.00.1497.002 - 2019 RTM 15.02.0221.012
CPE2.3- cpe:2.3:a:microsoft:microsoft_exchange_server:2013_CU23_Oct22SU:15.00.1497.042:*:*:*:*:*:*
- cpe:2.3:a:microsoft:microsoft_exchange_server:2016_CU23_Oct22SU:15.01.2507.013:*:*:*:*:*:*
- cpe:2.3:a:microsoft:microsoft_exchange_server:2019_RTM:15.02.0221.012:*:*:*:*:*:*
https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-41078
https://www.zerodayinitiative.com/advisories/ZDI-22-1601/
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote authenticated user via the local network (LAN).
How the attacker can exploit this vulnerability?
The attacker would have to send a specially crafted request to the affected application in order to exploit this vulnerability.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
