Discover All Exchange Servers in Your Network Vulnerable to CVE-2022-41040 & CVE-2022-41082
News broke of two actively exploited zero-day vulnerabilities in Microsoft Exchange 2013, 2016 and 2019. First reported by the Zero Day Initiative and with the references ZDI-CAN-18333 (CVSS score: 8.8) and ZDI-CAN-18802 (CVSS score: 6.3). These vulnerabilities can lead to remote code execution when exploited.
Microsoft followed soon with the official disclosure of the vulnerabilities, now also listed as CVE-2022-41040 and CVE-2022-41082, „CVE-2022-41040, is a Server-Side Request Forgery (SSRF) vulnerability, while the second, identified as CVE-2022-41082, allows remote code execution (RCE) when PowerShell is accessible to the attacker“.
You can find more info including how to mitigate the vulnerability until a patch has been released in our Exchange CVE-2022-41040 and CVE-2022-41082 blog post. The report below will provide an overview of all Microsoft Exchange 2013, 2016, and 2019 servers that require action.
Exchange Scanned Servers Query
Select Top 1000000 tblAssets.AssetID,
tblAssets.AssetName,
tblAssets.Domain,
tblAssets.Username,
tblAssets.Userdomain,
Coalesce(tsysOS.Image, tsysAssetTypes.AssetTypeIcon10) As icon,
tblAssets.IPAddress,
tsysIPLocations.IPLocation,
tblAssetCustom.Manufacturer,
tblAssetCustom.Model,
tsysOS.OSname As OS,
tblAssets.Version,
tblExchangeServer.AdminDisplayVersion as [Exchange Admin Display Version],
Case
When tblExchangeServer.AdminDisplayVersion like '%15.0%'
then 'Exchange Server 2013'
When tblExchangeServer.AdminDisplayVersion like '%15.1%'
then 'Exchange Server 2016'
When tblExchangeServer.AdminDisplayVersion like '%15.2%'
then 'Exchange Server 2019'
end as [Exchange Server Version],
tblExchangeServer.ExchangeVersion as [Exchange Version],
tblExchangeServer.Edition,
tblExchangeServer.ServerRole,
Case
When tblErrors.ErrorText Is Not Null Or
tblErrors.ErrorText != '' Then
'Scanning Error: ' + tsysasseterrortypes.ErrorMsg
Else ''
End As ScanningErrors,
tblAssets.Lastseen,
tblAssets.Lasttried
From tblAssets
Inner Join tblAssetCustom On tblAssets.AssetID = tblAssetCustom.AssetID
Inner Join tsysAssetTypes On tsysAssetTypes.AssetType = tblAssets.Assettype
Inner Join tsysIPLocations On tsysIPLocations.LocationID =
tblAssets.LocationID
inner join tblExchangeServer on tblExchangeServer.AssetId = tblassets.AssetID
Inner Join tblState On tblState.State = tblAssetCustom.State
Left Join tsysOS On tsysOS.OScode = tblAssets.OScode
Left Join (Select Distinct Top 1000000 tblErrors.AssetID As ID,
Max(tblErrors.Teller) As ErrorID
From tblErrors
Group By tblErrors.AssetID) As ScanningError On tblAssets.AssetID =
ScanningError.ID
Left Join tblErrors On ScanningError.ErrorID = tblErrors.Teller
Left Join tsysasseterrortypes On tsysasseterrortypes.Errortype =
tblErrors.ErrorType
Where tblState.Statename = 'Active' and
(tblExchangeServer.AdminDisplayVersion like '%15.0%' or
tblExchangeServer.AdminDisplayVersion like '%15.1%' or
tblExchangeServer.AdminDisplayVersion like '%15.2%')
Order By tblAssets.Domain,
tblAssets.AssetName