Update 11/8/2022: We have now released November 2022 Security Updates for Exchange Server. Please install those (or newer) updates to address vulnerabilities mentioned in this post. Mitigations are n...
Updated Nov 08, 2022
Version 17.0
Blog Post
2 MIN READ
Customer Guidance for Reported Zero-day Vulnerabilities in Microsoft Exchange Server
Nino_Bilic
Microsoft
MicrosoftBB9193 I understand your question, let's see if I can provide an answer to this; borrowing from the MSRC blog:
...The first one, identified as CVE-2022-41040, is a Server-Side Request Forgery (SSRF) vulnerability, and the second one, identified as CVE-2022-41082, allows Remote Code Execution (RCE) when PowerShell is accessible to the attacker.
Our mitigations (EEMS, EOMTv2 and manual steps to create URL Rewrite rules) are targeted to address CVE-2022-41040. The reason why that has anything to do with PowerShell is - this is how this particular attack chain works (that we have seen in the wild). So our mitigations are aimed at breaking the attack chain (assuming no bypasses etc.) where Remote PowerShell can be used to exploit RCE.
That still leaves CVE-2022-41082 as vulnerability in it's own right, though. Yes, it might not be a part of this particular attack chain once CVE-2022-41040 is mitigated. However, users who have access to Remote PowerShell could still abuse CVE-2022-41082. Therefore, we recommend that access to Remote PowerShell also be restricted.