Microsoft releases enhanced mitigations for unpatched Exchange Server vulnerabilities

Microsoft on Friday disclosed it made further improvements to the proposed mitigation method as a way to prevent exploit attempts against recently revealed unpatched security vulnerabilities in Exchange Server.

To this end, the tech giant has revised the blocking rule in IIS Manager from “.*autodiscover.json.*Powershell.*” to “(?=.*autodiscover.json)(?=.*powershell ).”

cyber security

List of updated steps to add URL rewrite rule is below –

  • Open IIS Manager
  • Select default website
  • In the features view, click URL Rewrite
  • In the Actions pane on the right side, click Add one or more rules…
  • Select Request blocking and click OK
  • Add the string “(?=.*autodiscover.json)(?=.*powershell)” (without quotes)
  • Select Regular Expression under Usage
  • Select Drop request under How to block, then click OK
  • Expand the rule and select the rule with the pattern: (?=.*autodiscover.json)(?=.*powershell) and click Edit under Conditions
  • Change the Condition input from {URL} to {UrlDecode:{REQUEST_URI}}, then click OK

Alternatively, users can achieve the desired protections by running a PowerShell-based Exchange on-premises mitigation tool (EOMTv2.ps1), which has also been updated to accommodate the aforementioned URL pattern.

cyber security

The actively exploited problemscalled ProxyNotShell (CVE-2022-41040 and CVE-2022-41082), have yet to be addressed by Microsoft, although with Patch Tuesday fast approaching, the wait might not be long.

Successful weaponization of the flaws could allow an authenticated attacker to chain together the two vulnerabilities to achieve remote code execution on the underlying server.

The tech giant acknowledged last week that the loopholes may have been exploited by a single state-sponsored threat actor since August 2022 in limited targeted attacks targeting fewer than 10 organizations globally.

Comments are closed.