What is the Message of Rackspace’s Decision Not to Patch Exchange?
Well, the first answer is that it is not going to help Rackspace defend itself against the lawsuits that it is facing for the ransomware attack.
Rackspace now admits that it decided to hold off installing a patch for a server side request forgery vulnerability in Exchange (CVE-2022-41080) that Microsoft patched the month before the attack.
That bug, when chained with a previously disclosed remote code execution bug in Exchange gives attackers the way in to takeover the servers, which they did in Early December.
Up until now Rackspace has claimed that the attack was a new zero-day – a new bug. Apparently not.
Rackspace was concerned that the patch could cause an outage. It certainly did, just not in the way they were thinking.
Instead they applied a mitigation, but, as is often the case, the mitigation didn’t really mitigate anything and the hackers were able to work around the mitigation.
This is probably why they are calling it a new zero-day. The combination of two old, existing bugs, when chained together, created a new attack vector, but both of the bugs were, apparently, known and patched.
A study last year by security vendor Edgescan found that 57% of observed vulnerabilities were more than two years old and 17% were more than five years old.
Combine this with the shrinking window between patch release and hacker exploitation and you have a bit of a disaster.
If you are not doing at least monthly internal and external vulnerability scans – and then closing those holes – you should be.
If you need a vendor to do those for you, please contact us.
Credit: Dark Reading