Microsoft’s third mitigation update for Exchange Server zero-day exploit bypassed within hours

Microsoft has published its third update for its mitigation of an exploit abusing two zero-day vulnerabilities in Microsoft Exchange Server.

It marks the latest step towards providing a fix for the exploit, dubbed ‘ProxyNotShell’, in what has been a confusing week for system admins attempting to understand the threat.

Security researcher Kevin Beaumont highlighted on Friday that there is already a bypass for the Microsoft-provided mitigation. It means every one of the company’s attempts to prevent the exploit from harming customers has been circumvented within hours of publication.

The issue is in the way Microsoft’s signatures detect the exploit. Signatures monitor the w3wp.exe internet information services (IIS) module but for customers of Windows Server 2016 and above, w3wp.exe is excluded automatically by Exchange Server when IIS is installed.

“The only way to correct this is to turn off automatic exclusions,” he said, but Microsoft states explicitly in its documentation to not do this.

The original vulnerability disclosure for the ProxyNotShell exploit was atypical in nature and the information regarding potential fixes has been fragmented and confusing to follow for many. 

Discovered last week by security researchers at Vietnam-based company GTSC, the pair of zero-days has received a number of attempted fixes – the first of which was bypassed “easily”.

GTSC said in its report that it had noticed in-the-wild exploitation of both vulnerabilities for at least a month before publishing its findings.

The security issues are related to, but different from, the ProxyShell exploit which was developed in 2021 and are not protected by the patch Microsoft provided for ProxyShell that year. 

Tracked as CVE-2022-41040 and CVE-2022-41082, they each received a CVSSv3 severity score of 8.8/10. Microsoft Exchange versions 2013, 2016, and 2019 are affected.

Exploitation requires access to an authenticated user account but initial tests indicated that any email user’s account, regardless of the level of privileges they had, could be used to launch an attack. 

Microsoft Exchange Server customers are advised to monitor the official mitigation page and apply new ones as they become…