Thanks for your patience, Jagadesh.
I spoke with our threat research team and they created the following signature which mitigate the payload:
Signature name: CVE-2022-41040, CVE-2022-41082: MS Exchange 0-day SSRF - RCE - PoC 2
Signature ID:614231
Pattern:
part="/autodiscover/autodiscover.json", part="Powershell"
Signature will be delivered with ADC RCP 02-may-2023.
In the meantime, you can use the above signature as manual mitigation.
For On-prem WAF customers - our Thread Radar Emergency Feed customers will have received this notification automatically. You can find more info on that feed
here.
I hope this helps.
Thanks,
Sarah
------------------------------
Sarah Lamont
Digital Community Manager
------------------------------
Original Message:
Sent: 04-17-2023 13:32
From: Jagadesh Kumar R
Subject: CVE-2021-34473 & CVE-2022-41040 Payload
Dear Team,
Hope you're all doing great!!!
Microsoft Exchange Server RCE vulnerability not discovered by WAF. Below are the given payload as per ADC policy.
We have received a payload from a malicious IP, but there's a change in pattern,
URL: /autodiscover/autodiscover.json?@zdi/Powershell
Below are the matching URL patterns, which is blocked at WAF.
Note: Highlighted URL not blocked at WAF. Kindly let us know the reason behind it not covered by WAF.
#CloudWAF(formerlyIncapsula)
#On-PremisesWAF(formerlySecuresphere)
------------------------------
Jagadesh Kumar R
Inormation Security Group, Assistant Manager
The Karur Vysya Bank Limited
Karur
------------------------------