Wondering if anyone knows what this check is actually checking. It’s for the exchange server zero-day and rapid7 has published a check. The check is called microsoft-exchange-cve-2022-41082-remote. I don’t know what it is actually checking for. But it shows we have 0 instances, so I question its actual ability to check to see if we are vulnerable.
This is a fresh publish, so information will rapidly develop. However, it appears that this is a RCE vulnerability that is executable with access to Powershell. Most of the related KB articles are sparse, but this seems to be the best write-up thus far: Customer Guidance for Reported Zero-day Vulnerabilities in Microsoft Exchange Server – Microsoft Security Response Center
I was kind of assuming it had to do with powershell, but can’t be sure. Thank you.
So is there anything we need to do regarding our scan template or is this already embedded into the scan templates? Any version updates needed?
I assume you are asking me and I don’t know. I was hoping to get an answer from an R7 person as this vulnerability is getting a lot of attention and appears to be getting worse b/c the mitigations that were previously suggested may not be efficient anymore.
I just wanted to know exactly what it was that the check was checking for and bring some awareness to the community. So we just had our sys admins look into the recommended mitigations and see what we either already have in place or what needs to be done.
I recommend doing the same thing and not completely trusting the check that R7 put out there yet. At least not until we can get an answer to what it is actually checking.
I totally agree, we have done those steps as well, but like you said I had 0 instances as well; so i didnt know if there was anything extra i needed to activate on the scan template end.
@holly_wilsey can you shed some light i know you said it was new, but usually i see actions to take in the scan template or version update has that not yet been released?
Hi there! The way these remote checks currently work is as follows:
Microsoft Exchange Serverneeds to be identified on an HTTP or HTTPS network service. This is a remote check, requiring the Scan Engine (not supported by the Insight Agent). We have seen some reports that only a generic
IISfingerprint is found on certain systems even if they’re running Exchange, which our team is investigating; this may cause false negatives in some situations
- The Scanner will send an HTTP GET request to the service. Currently the path is
/Autodiscover/autodiscover.json@powershellthough we are revising this based on Microsoft’s most recent guidance and an updated check should be available in today’s content release.
- If the HTTP response code is 401, it indicates the system is vulnerable (the mitigation has not been applied). Otherwise I believe the request will time out and the vulnerability will not be reported.
There is more information available in our blog post here:
All the best,