How to stop exploitation of CVE-2024-49040

The patch that fixes CVE-2024-49040 in Microsoft Exchange is temporarily unavailable. We’ve implemented heuristics that detect attempts to exploit it.

Spoofing via CVE-2024-49040

Among the vulnerabilities highlighted by Microsoft on the latest patch Tuesday on November 12 was CVE-2024-49040 in Exchange. Its exploitation allows an attacker to create emails that are displayed in the victim’s interface with a completely legitimate sender address. It would seem that the vulnerability was fixed, but, as it turned out, on November 14, Microsoft temporarily suspended distribution of the updates for Exchange Server. In the meantime, we’ve already observed attempts to exploit this vulnerability. So far the cases have been isolated: it looks like someone is testing the proof of concept. That’s why we at Kaspersky’s Content Filtering Methods Research Department have added to all our email security solutions a method for detection of attempts to use CVE-2024-49040 for spoofing.

What’s the problem with the CVE-2024-49040 vulnerability?

CVE-2024-49040 is a vulnerability with a CVSS rating of 7.5 that’s relevant for Exchange Server 2019 and Exchange Server 2016 and classified as “important”. Its essence lies in an incorrectly formulated P2 FROM header processing policy. An attacker can use it to have this header contain two email addresses: the real one – which is hidden from the victim, and the legitimate one – which is shown to the victim. As a result, Microsoft Exchange correctly checks the sender’s address, but shows the recipient a completely different one that doesn’t look suspicious to the user (for example, an internal address of an employee of the same company).

With the November 12 patch, Microsoft added a new feature that detects P2 FROM headers that don’t comply with the RFC 5322 internet message format standard, and that should have fixed the situation. However, according to a post on the Microsoft blog, some users began to have problems with the Transport rules, which sometimes stopped working after installing the update. Therefore, distribution of the update was suspended and will be resumed after it’s re-released.

How to stay safe

To prevent your company’s employees from being misled by exploitation of CVE-2024-49040, we’ve added a rule for detecting attempts to exploit it to all relevant solutions that are used to protect corporate mail. It works in Kaspersky Security for Microsoft Exchange Server, Kaspersky Security for Linux Mail Server, and Kaspersky Secure Mail Gateway.

Tips