On September 29 two new Microsoft Exchange Server (on-prem) zero day attacks were reported.
An adversary who has access to a vulnerable on-prem Exchange Server can exploit the same through the Server-Side Request Forgery (SSRF) and conduct remote code execution if they have access to PowerShell. Per Microsoft, the CVE exposure is limited to on-prem Exchange Servers, so Exchange Online Customers do not currently need to take any action. Here are the CVE notifications:
- CVE-2022-41040: Server-Side Request Forgery (SSRF) vulnerability
- CVE-2022-41082: Remote code execution (RCE), when PowerShell is accessible to the attacker.
Citrix recommends that customers hosting a Microsoft exchange server on-prem follow Microsoft recommendations. In addition, Citrix Web App Firewall customers should consider the following recommendations to improve the security of their applications and protect against this vulnerability.
Our threat research team has released updated Citrix Web App Firewall signatures designed to mitigate in part the CVE-2022-41082 and CVE-2022-41040 vulnerabilities. If you are using Microsoft Exchange Server on-prem, Citrix strongly recommends that you download the signatures version 93 and apply to your Citrix Web App Firewall deployments as an additional layer of protection for your applications. Signatures are compatible with the following software versions of NetScaler (formerly Citrix ADC): 11.1, 12.0, 12.1, 13.0 and 13.1. Please note, versions 11.1 and 12.0 are End of Life. Learn more about the release life cycle.
The Zero Day Initiative is tracking two vulnerabilities that haven’t been assigned CVE identifiers yet: ZDI-CAN-18333 (CVSS score: 8.8) and ZDI-CAN-18802 (CVSS score: 6.3). Citrix recommendations for CVE-2022-41082/CVE-2022-41040 with WAF signatures version 93 and Responder policies will also mitigate those.
If you are already using Citrix Web App Firewall with signatures with the auto-update feature enabled, you may follow these steps after verifying that the signature version is at least version 79.
- Search your signatures for CVE-2022-41082 LogString
- Select the results with ID 998871
- Choose “Enable Rules” and click OK
NetScaler Standard and Advanced edition customers, as well as Premium edition customers who do not have Citrix Web App Firewall signatures enabled, can use responder policies for protection as shown below. Please bind the responder policy to the appropriate bind point (vserver or global).
add responder policy mitigate_cve_2022_41082_41040 q^HTTP.REQ.URL.SET_TEXT_MODE(IGNORECASE).CONTAINS("autodiscover.json") && HTTP.REQ.URL.SET_TEXT_MODE(IGNORECASE).REGEX_MATCH(re#autodiscover\.json.*\@.*Powershell#)^ DROP
Citrix recommends that Citrix Web App Firewall customers use the latest signature version, enable signatures auto-update, and subscribe to receive signature alert notifications. Citrix will continue to monitor this dynamic situation and update as new mitigations become available.
If any of your application availability is inadvertently impacted due to false positives resulting from these mitigation policies, Citrix recommends the following modifications to the policy. Please note that any endpoint covered by the exception_list may expose those assets to the risks from CVE-2022-41082 and CVE-2022-41040.
- Modifications to Responder Policy
add policy patset exception_list
# (Example: bind policy patset exception_list “/exception_url”)
set responder policy mitigate_cve_2022_41082_41040 -rule q^HTTP.REQ.URL.CONTAINS_ANY("exception_list").NOT && (HTTP.REQ.URL.SET_TEXT_MODE(IGNORECASE).CONTAINS("autodiscover.json") && HTTP.REQ.URL.SET_TEXT_MODE(IGNORECASE).REGEX_MATCH(re#autodiscover\.json.*\@.*Powershell#)^
- Modifications to WAF Policy
add policy patset exception_list
# (Example: bind policy patset exception_list "/exception_url")
Prepend the existing WAF policy with HTTP.REQ.URL.CONTAINS_ANY("exception_list").NOT
# (Example : set appfw policy my_WAF_policy q^HTTP.REQ.URL.CONTAINS_ANY("exception_list").NOT && <existing rule>^
Citrix will continue to update this advisory for CVE-2022-41082 and CVE-2022-41040 as additional information becomes available.
Update 1 (October 6, 2022)
Microsoft has updated the recommendations for vulnerabilities in Microsoft Exchange Server tracked as CVE-2022-41082 / CVE-2022- 41040.
Our threat research team has updated Citrix Web App Firewall signatures designed to mitigate in part the CVE-2022-41082 and CVE-2022-41040 vulnerabilities. If you are using Microsoft exchange server on-prem, Citrix strongly recommends that you download the signatures version 94 and apply to your Citrix WAF deployments as an additional layer of protection for your applications.
The responder policy should be updated:
add responder policy mitigate_cve_2022_41082_41040 q^HTTP.REQ.URL.SET_TEXT_MODE(IGNORECASE).CONTAINS("autodiscover.json") && HTTP.REQ.URL.SET_TEXT_MODE(IGNORECASE).REGEX_MATCH(re#autodiscover\.json.*Powershell#)^ DROP
or in the case of added exceptions:
set responder policy mitigate_cve_2022_41082_41040 -rule q^HTTP.REQ.URL.CONTAINS_ANY("exception_list").NOT && (HTTP.REQ.URL.SET_TEXT_MODE(IGNORECASE).CONTAINS("autodiscover.json") && HTTP.REQ.URL.SET_TEXT_MODE(IGNORECASE).REGEX_MATCH(re#autodiscover\.json.*Powershell#)^
Additional Information
Citrix Web App Firewall has a single code base across physical, virtual, bare-metal, and containers. This signature update applies to all form factors and deployment models of Citrix Web App Firewall.
Learn more about Citrix Web App Firewall. And to learn more about Citrix Web App Firewall signature, check out our alert articles and bot signature articles. Learn how to receive signature alert notifications.
Patches and Mitigations
Citrix strongly recommends that customers apply patches (from Microsoft and/or other vendors) as soon as they are made available. Until a patch is made available, you may reduce the risk of a successful attack by applying mitigations. Mitigations should not be considered full solutions as they do not fully address the underlying issue(s).