There still are nearly 70,000 instances of Microsoft Exchange Server implementations vulnerable to one of the two ProxyNotShell vulnerabilities. According to the Shadowserver Foundation, these servers are yet to be patched to mitigate threats originating through CVE-2022-41082.
In late December 2022, the Shadowserver Foundation, a California-based nonprofit, discovered that as many as 70,000 Exchange Servers hadn’t received patches for ProxyNotShell, the same vulnerability that led to the Rackspace ransomware attack.
As of January 3, 2023, the number has decreased to 57,268, still quite significant given patches for the two security bugs (CVE-2022-41040 and CVE-2022-41082) were released on November Patch Tuesday.
Shadowserver Foundation’s data is based on server version details derived from the x_owa_version header.
Vulnerable Exchange Server Instances | Source: Shadowserver Foundation
See More: Microsoft Uncovers macOS Flaw That Let Hackers Bypass Gatekeeper Security
Discovered in late September 2022, the set of ProxyNotShell vulnerabilities allows elevation of privilege (EoP) through Server-Side Request Forgery (SSRF, CVE-2022-41040) and remote code execution (CVE-2022-41082).
Microsoft took its time to release the patches in November but provided a URL rewrite mitigation measure. So it is possible that administrators applied it to respective implementations. However, in December, Crowdstrike researchers unearthed OWASSRF, a way to bypass Microsoft’s mitigation, sending admins back to the drawing board.
We are reporting out Microsoft Exchange servers still likely vulnerable to CVE-2022-41082 #ProxyNotShell. Nearly 70K IPs found without MS patches applied (based on version info). Previously recommended mitigation techniques can be bypassed by attackershttps://t.co/ApcM9HwiOK pic.twitter.com/dGA0LvEAbG
— Shadowserver (@Shadowserver) December 26, 2022
OWASSRF is already popular with threat actors, including the Play ransomware gang, which targeted the City of Antwerp and H-Hotels in December 2022.
ProxyNotShell impacts Exchange Server 2013, 2016 and 2019, so it goes without saying that admins need to be proactive and shore up defenses, especially if a patch is available.
ProxyNotShell is among several security issues discovered in Microsoft Exchange Servers in recent years. ProxyShell and Log4Shell were two of the most exploited flaws and ProxyLogon, which Microsoft fixed in March 2021, affected Exchange Servers as well.
Let us know if you enjoyed reading this news on LinkedIn, Twitter, or Facebook. We would love to hear from you!
Image source: Shutterstock
