Microsoft Exchange Server vulnerabilities: CVE-2022-41040 and CVE-2022-41082

Barracuda Web Application Firewall hardware and virtual appliances; Barracuda CloudGen WAF on AWS, Azure, and GCP; Barracuda WAF-as-a-Service; and Barracuda Load Balancer ADC are not affected by the recently discovered zero-day vulnerabilities affecting Microsoft Exchange Server edition 2013, 2016, and 2019. The vulnerability identified as CVE-2022-41040 is a server-side request forgery (SSRF), and the one identified as CVE-2022-41082 is a remote code execution (RCE) vulnerability.

Please revisit this space to stay up to date on these vulnerabilities, as we will continue to share further updates.

Details of the vulnerabilities

Recently, GTSC discovered two zero-day vulnerabilities and shared the details with the Zero Day Initiative (ZDI). The following bugs were verified and acknowledged by ZDI:

1. ZDI-CAN-18333 | Microsoft | CVSS: 8.8
2. ZDI-CAN-18802 | Microsoft | CVSS: 6.3

ZDI shared the details with Microsoft, and based on their research, Microsoft published the following CVEs regarding the identified vulnerabilities:

• CVE-2022-41040 | CVSS:3.1 8.8 / 8.1 | Vendor Severity: Critical | SSRF
• CVE-2022-41082 | CVSS:3.1 8.8 / 8.3 | Vendor Severity: Critical | RCE

These vulnerabilities were published on September 29, 2022, and affect Microsoft Exchange Server 2013, 2016, and 2019. Both CVEs require an attacker to access the vulnerable Exchange Server as an authenticated user.

The SSRF attack can be carried out after gaining access as an authenticated user and getting access to PowerShell. After that, the attacker can also execute the RCE attack as described in CVE-2022-41082.

Barracuda Web Application Firewall, WAF-as-a-Service, and Load Balancer ADC are not affected by this vulnerability.

Attack detection and protection

Barracuda will soon be publishing the signatures to mitigate the vulnerabilities after due diligence in evaluating the CVE.

Meanwhile, customers can contact the Barracuda Technical Support team to get the interim signature. The interim signature is crafted based on the available threat research data. Please note that we will continue to update the signatures as the threat research data evolves.

For manual configuration, we recommend following the advisory published in respective Barracuda Web Application Firewall product categories as mentioned below.

Barracuda WAF-as-a-Service

We recommend WAF-as-a-Service customers visit the campus document to manually configure the steps required to mitigate the vulnerabilities. Customers can also follow the WAF- as-a-Service updates for the configuration steps.

Barracuda Web Application Firewall & Barracuda CloudGen WAF on AWS, Azure, and GCP

We recommend Barracuda WAF and CloudGen WAF customers manually perform configuration changes as per the steps mentioned in the campus documents to mitigate these vulnerabilities.

As a best practice, we recommend that customers also consider interim mitigations and recommendations from Microsoft to protect their Microsoft Exchange Server.

To learn more about the configuration changes and settings required for this mitigation, please review this campus document.

For any assistance with these settings or questions regarding the attack patterns, contact Barracuda Technical Support.