{"id":23588,"date":"2024-11-26T13:26:41","date_gmt":"2024-11-26T09:26:41","guid":{"rendered":"https:\/\/me-en.kaspersky.com\/blog\/?p=23588"},"modified":"2024-11-26T13:26:41","modified_gmt":"2024-11-26T09:26:41","slug":"cve-2024-49040-email-spoofing-protection","status":"publish","type":"post","link":"https:\/\/me-en.kaspersky.com\/blog\/cve-2024-49040-email-spoofing-protection\/23588\/","title":{"rendered":"How to stop exploitation of CVE-2024-49040"},"content":{"rendered":"<p>Among the vulnerabilities highlighted by Microsoft on the latest <a href=\"https:\/\/www.kaspersky.com\/blog\/2024-november-patch-tuesday\/52604\/\" target=\"_blank\" rel=\"noopener nofollow\">patch Tuesday<\/a> on November 12 was <a href=\"https:\/\/msrc.microsoft.com\/update-guide\/vulnerability\/CVE-2024-49040\" target=\"_blank\" rel=\"nofollow noopener\">CVE-2024-49040<\/a> in Exchange. Its exploitation allows an attacker to create emails that are displayed in the victim\u2019s interface with a completely legitimate sender address. It would seem that the vulnerability was fixed, but, as it turned out, on November 14, Microsoft temporarily suspended distribution of the updates for Exchange Server. In the meantime, we\u2019ve already observed attempts to exploit this vulnerability. So far the cases have been isolated: it looks like someone is testing the proof of concept. That\u2019s why we at Kaspersky\u2019s Content Filtering Methods Research Department have added to all our email security solutions a method for detection of attempts to use CVE-2024-49040 for spoofing.<\/p>\n<h2>What\u2019s the problem with the CVE-2024-49040 vulnerability?<\/h2>\n<p>CVE-2024-49040 is a vulnerability with a CVSS rating of 7.5 that\u2019s relevant for Exchange Server 2019 and Exchange Server 2016 and classified as \u201cimportant\u201d. Its essence lies in an incorrectly formulated P2 FROM header processing policy. An attacker can use it to have this header contain two email addresses: the real one \u2013 which is hidden from the victim, and the legitimate one \u2013 which is shown to the victim. As a result, Microsoft Exchange correctly checks the sender\u2019s address, but shows the recipient a completely different one that doesn\u2019t look suspicious to the user (for example, an internal address of an employee of the same company).<\/p>\n<p>With the November 12 patch, Microsoft added a new feature that detects P2 FROM headers that don\u2019t comply with the RFC 5322 internet message format standard, and that should have fixed the situation. However, according to a <a href=\"https:\/\/techcommunity.microsoft.com\/blog\/exchange\/released-november-2024-exchange-server-security-updates\/4293125\" target=\"_blank\" rel=\"nofollow noopener\">post on the Microsoft blog<\/a>, some users began to have problems with the Transport rules, which sometimes stopped working after installing the update. Therefore, distribution of the update was suspended and will be resumed after it\u2019s re-released.<\/p>\n<h2>How to stay safe<\/h2>\n<p>To prevent your company\u2019s employees from being misled by exploitation of CVE-2024-49040, we\u2019ve added a rule for detecting attempts to exploit it to all relevant solutions that are used to protect corporate mail. It works in <a href=\"https:\/\/www.kaspersky.com\/small-to-medium-business-security\/mail-server?icid=me-en_kdailyplacehold_acq_ona_smm__onl_b2b_kasperskydaily_wpplaceholder____ksms___\" target=\"_blank\" rel=\"noopener nofollow\">Kaspersky Security for Microsoft Exchange Server<\/a>, <a href=\"https:\/\/www.kaspersky.com\/small-to-medium-business-security\/mail-server?icid=me-en_kdailyplacehold_acq_ona_smm__onl_b2b_kasperskydaily_wpplaceholder____ksms___\" target=\"_blank\" rel=\"noopener nofollow\">Kaspersky Security for Linux Mail Server<\/a>, and <a href=\"https:\/\/me-en.kaspersky.com\/small-to-medium-business-security\/mail-security-appliance?icid=me-en_kdailyplacehold_acq_ona_smm__onl_b2b_kasperskydaily_wpplaceholder_______\" target=\"_blank\" rel=\"noopener\">Kaspersky Secure Mail Gateway<\/a>.<\/p>\n<input type=\"hidden\" class=\"category_for_banner\" value=\"kesb-trial\"><input type=\"hidden\" class=\"placeholder_for_banner\" data-cat_id=\"kesb-trial\" value=\"15341\">\n","protected":false},"excerpt":{"rendered":"<p>The patch that fixes CVE-2024-49040 in Microsoft Exchange is temporarily unavailable. We\u2019ve implemented heuristics that detect attempts to exploit it.<\/p>\n","protected":false},"author":2598,"featured_media":23589,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"footnotes":""},"categories":[1318,1916,1917],"tags":[19,2423,38,2618,2796],"class_list":{"0":"post-23588","1":"post","2":"type-post","3":"status-publish","4":"format-standard","5":"has-post-thumbnail","7":"category-business","8":"category-enterprise","9":"category-smb","10":"tag-email","11":"tag-exchange","12":"tag-microsoft","13":"tag-spoofing","14":"tag-threat-research"},"hreflang":[{"hreflang":"en-ae","url":"https:\/\/me-en.kaspersky.com\/blog\/cve-2024-49040-email-spoofing-protection\/23588\/"},{"hreflang":"en-in","url":"https:\/\/www.kaspersky.co.in\/blog\/cve-2024-49040-email-spoofing-protection\/28337\/"},{"hreflang":"en-gb","url":"https:\/\/www.kaspersky.co.uk\/blog\/cve-2024-49040-email-spoofing-protection\/28467\/"},{"hreflang":"ru","url":"https:\/\/www.kaspersky.ru\/blog\/cve-2024-49040-email-spoofing-protection\/38650\/"},{"hreflang":"x-default","url":"https:\/\/www.kaspersky.com\/blog\/cve-2024-49040-email-spoofing-protection\/52699\/"},{"hreflang":"ru-kz","url":"https:\/\/blog.kaspersky.kz\/cve-2024-49040-email-spoofing-protection\/28588\/"},{"hreflang":"en-au","url":"https:\/\/www.kaspersky.com.au\/blog\/cve-2024-49040-email-spoofing-protection\/34422\/"},{"hreflang":"en-za","url":"https:\/\/www.kaspersky.co.za\/blog\/cve-2024-49040-email-spoofing-protection\/34046\/"}],"acf":[],"banners":"","maintag":{"url":"https:\/\/me-en.kaspersky.com\/blog\/tag\/email\/","name":"email"},"_links":{"self":[{"href":"https:\/\/me-en.kaspersky.com\/blog\/wp-json\/wp\/v2\/posts\/23588","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/me-en.kaspersky.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/me-en.kaspersky.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/me-en.kaspersky.com\/blog\/wp-json\/wp\/v2\/users\/2598"}],"replies":[{"embeddable":true,"href":"https:\/\/me-en.kaspersky.com\/blog\/wp-json\/wp\/v2\/comments?post=23588"}],"version-history":[{"count":1,"href":"https:\/\/me-en.kaspersky.com\/blog\/wp-json\/wp\/v2\/posts\/23588\/revisions"}],"predecessor-version":[{"id":23590,"href":"https:\/\/me-en.kaspersky.com\/blog\/wp-json\/wp\/v2\/posts\/23588\/revisions\/23590"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/me-en.kaspersky.com\/blog\/wp-json\/wp\/v2\/media\/23589"}],"wp:attachment":[{"href":"https:\/\/me-en.kaspersky.com\/blog\/wp-json\/wp\/v2\/media?parent=23588"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/me-en.kaspersky.com\/blog\/wp-json\/wp\/v2\/categories?post=23588"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/me-en.kaspersky.com\/blog\/wp-json\/wp\/v2\/tags?post=23588"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}