Exchange 0-Day CVE-2022–41040 and CVE-2022–41082, how to check if rules are including the mitigation?

Question

There is a critical 0-Day exploit for Exchange already being exploited, which is pretty much the same as the "ProxyShell" vulnerability in March. 
 How can I check if the mitigation is already working with Snort or IPS rules? 
 https://gteltsc.vn/blog/warning-new-attack-campaign-utilized-a-new-0day-rce-vulnerability-on-microsoft-exchange-server-12715.html#:~:text=Temporary%20containment%20measures 
 There is also written (see "Temporary containment measures") how to create a rewrite rule to address the vulnerability, until a patch becomes available.

LuCar Toni · Accepted Answer

nakedsecurity.sophos.com/.../

bobbylam · Answer

New protection released for Sophos Firewall for this: 
 twitter.com/.../1575931416382095360

bobbylam · Answer

The updated XG IPS sig pack covers both CVE-2022-41040 & CVE-2022-41082

Peter-Paul Gras · Answer

Microsoft have been through triage now, and issued CVE-2022&ndash;41040 and CVE-2022&ndash;41082. These are two new zero day vulnerabilities in Exchange. It appears the ProxyShell patches from early 2021 did not fix the issue. 
 source: https://doublepulsar.com/proxynotshell-the-story-of-the-claimed-zero-day-in-microsoft-exchange-5c63d963a9e9 IPS Signatures have not yet been updated (2022-09-30 11.00 AM CET): docs.sophos.com/.../index.html 
 
 Temporary solution: thehackernews.com/.../microsoft-confirms-2-new-exchange-zero.html

Exchange 0-Day CVE-2022–41040 and CVE-2022–41082, how to check if rules are including the mitigation?

Top Replies