Microsoft Exchange Server Remote Code Execution Vulnerability
Weakness
The product deserializes untrusted data without sufficiently ensuring that the resulting data will be valid.
Affected Software
| Name | Vendor | Start Version | End Version |
|---|---|---|---|
| Exchange_server | Microsoft | 2013-cumulative_update_23 (including) | 2013-cumulative_update_23 (including) |
| Exchange_server | Microsoft | 2016-cumulative_update_22 (including) | 2016-cumulative_update_22 (including) |
| Exchange_server | Microsoft | 2016-cumulative_update_23 (including) | 2016-cumulative_update_23 (including) |
| Exchange_server | Microsoft | 2019-cumulative_update_11 (including) | 2019-cumulative_update_11 (including) |
| Exchange_server | Microsoft | 2019-cumulative_update_12 (including) | 2019-cumulative_update_12 (including) |
Potential Mitigations
- Make fields transient to protect them from deserialization.
- An attempt to serialize and then deserialize a class containing transient fields will result in NULLs where the transient data should be. This is an excellent way to prevent time, environment-based, or sensitive variables from being carried over and used improperly.
Related Attack Patterns
References
- https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-41082
- http://packetstormsecurity.com/files/170066/Microsoft-Exchange-ProxyNotShell-Remote-Code-Execution.html
- https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-41082
- https://www.kb.cert.org/vuls/id/915563
- https://www.secpod.com/blog/microsoft-november-2022-patch-tuesday-patches-65-vulnerabilities-including-6-zero-days/
- https://www.vicarius.io/vsociety/posts/cve-2022-41082-microsoft-exchange-server-remote-code-execution-vulnerability-detection-script
- https://www.vicarius.io/vsociety/posts/cve-2022-41082-microsoft-exchange-server-remote-code-execution-vulnerability-mitigation-script
- https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2022-41082