"Microsoft Updates Guidance for 'ProxyNotShell' Bugs After Researchers Get Around Mitigations"
Microsoft has updated its guidance for two zero-day vulnerabilities recently discovered in Exchange Server software. According to several security researchers who investigated the bugs known as "ProxyNotShell," the original guidance provided for the bugs was found to be insufficient in addressing the issues. Microsoft's original mitigations were found to easily be maliciously bypassable. Those who used the original mitigations remained vulnerable as a result of this mitigation bypass. Microsoft has now updated the script that will automate mitigations to account for this bypass. A Server-Side Request Forgery (SSRF) vulnerability, designated as CVE-2022-41040, in the set of ProxyNotShell bugs can allow an attacker with credentials for a user account on the mail server to gain unauthorized levels of access. The second vulnerability, CVE-2022-41082, allows Remote Code Execution (RCE), similar to the 2021 ProxyShell issues that wreaked havoc on many businesses. The US Homeland Security Department's Cybersecurity and Infrastructure Security Agency (CISA) added both bugs to its list of Known Exploited Vulnerabilities (KEV) hours after they were discovered, while Microsoft confirmed that the issues are still being exploited and affect those running Microsoft Exchange Server 2013, 2016, and 2019. This article continues to discuss the ProxyNotShell vulnerabilities and Microsoft's updated guidance for the bugs.