Project Hyphae
Search

OWASSRF, NotProxyNotShell

Share This Post

Back on December 20th, 2022, CrowdStrike published a blog about a new exploit of Exchange servers via OWA utilizing CVE-2022-41080 and CVE-2022-41082.

Previously, CVE-2022-41082 was part two of the ProxyNotShell exploit for remote code execution(RCE) after initially exploiting the vulnerability CVE-2022-41040. Microsoft released a blog on September 29th, 2022, providing mitigation steps for CVE-2022-41040, as well as a patches to resolve both vulnerabilities on November 8th 2022.

If an exchange server has been patched with the November 8th 2022 security patches (KB5019758) for CVE-2022-41040 and CVE-2022-41082, it is not vulnerable to the new exploit.

The new exploit CrowdStrike has dubbed OWASSRF, and it uses CVE-2022-41080 initially, which bypasses the rewrite rule Microsoft provided as a mitigation of ProxyNotShell, allowing attackers access to then exploit CVE-2022-41082 for Remote Code Execution (RCE) the same way they could previously with the ProxyNotShell exploit.

Similar to ProxyNotShell, OWASSRF requires authentication to OWA\Exchange to be exploited. This is not usually a large hurdle for a devoted attacker, but it does mean exploitation in the wild has been more targeted and not nearly as wide spread as previously seen with the ProxyLogon and ProxyShell exploits from late 2021 mid 2022.

The biggest take away here, is install your patches, even if you believe you have other mitigations in place. Such mitigations are just about always provided as a stop-gap or temporary fix until a more robust solution can be deployed in an update or patch.

If you have a server which has the September 29th mitigations in place from Microsoft, and has not been patched with the November 8th updates (KB5019758), you’ll likely need to once again consider your Exchange server potentially compromised, get those updates installed, turn off OWA if for some reason you cannot install the updates, and then perform a threat hunt for any indicators of compromise.


CrowdStrike’s Blog: https://www.crowdstrike.com/blog/owassrf-exploit-analysis-and-recommendations/
CVE-2022-41040: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-41040
CVE-2022-41080: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-41080
CVE-2022-41082: https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2022-41082



Reach out to our incident response team for help

More To Explore

Information Security News 3-25-2024

Developer Sues Minnesota Contractor After $735K Payment Disappears Article Link: https://www.constructiondive.com/news/beck-sues-ryan-fsa-title-cybercrime/710708/ Truck-to-Truck Worm Could Infect and Disrupt Entire US Commercial Fleet Article Link: https://www.theregister.com/2024/03/22/boffins_tucktotruck_worm/ NIST’s

Information Security News 3-18-2024

Threat Actors Leaked 70 Million Records Allegedly Stolen From AT&T Article Link: https://securityaffairs.com/160627/data-breach/70m-att-records-leaked.html Former Telecom Manager Admits to Doing SIM Swaps for $1,000 Article Link:

Do You Want to Shore Up Your Defenses?

We're opening our first round of threat hunting engagements to 100 organizations. Sign up or join the wait list here.