Imperva Cyber Community

communities_1.jpg
 View Only

  • 1.  CVE-2021-34473 & CVE-2022-41040 Payload

    Posted 04-17-2023 13:32

    Dear Team,

    Hope you're all doing great!!!

    Microsoft Exchange Server RCE vulnerability not discovered by WAF. Below are the given payload as per ADC policy.


    We have received a payload from a malicious IP, but there's a change in pattern,

    URL: /autodiscover/autodiscover.json?@zdi/Powershell

    Below are the matching URL patterns, which is blocked at WAF.


    Note: Highlighted URL not blocked at WAF. Kindly let us know the reason behind it not covered by WAF.


    #CloudWAF(formerlyIncapsula)
    #On-PremisesWAF(formerlySecuresphere)

    ------------------------------
    Jagadesh Kumar R
    Inormation Security Group, Assistant Manager
    The Karur Vysya Bank Limited
    Karur
    ------------------------------


  • 2.  RE: CVE-2021-34473 & CVE-2022-41040 Payload

    Posted 04-20-2023 10:11

    Hi Jagadesh,

    I thought I had an answer but our team is still fine tuning. I hope to have an update asap.
    Thanks,
    Sarah



    ------------------------------
    Sarah Lamont
    Digital Community Manager
    ------------------------------



  • 3.  RE: CVE-2021-34473 & CVE-2022-41040 Payload

    Posted 04-20-2023 11:52
    Edited by Sarah Lamont 04-20-2023 12:05

    Thanks for your patience, Jagadesh.

    I spoke with our threat research team and they created the following signature which mitigate the payload:

    Signature name: CVE-2022-41040, CVE-2022-41082: MS Exchange 0-day SSRF - RCE - PoC 2
Signature ID:614231
Pattern:
part="/autodiscover/autodiscover.json", part="Powershell"
    Signature will be delivered with ADC RCP 02-may-2023.
    In the meantime, you can use the above signature as manual mitigation.
    For On-prem WAF customers - our Thread Radar Emergency Feed customers will have received this notification automatically. You can find more info on that feed here.

    I hope this helps.
    Thanks,
    Sarah



    ------------------------------
    Sarah Lamont
    Digital Community Manager
    ------------------------------