Blog Post

Exchange Team Blog
2 MIN READ

Customer Guidance for Reported Zero-day Vulnerabilities in Microsoft Exchange Server

The_Exchange_Team's avatar
The_Exchange_Team
Platinum Contributor
Sep 30, 2022
Update 11/8/2022: We have now released November 2022 Security Updates for Exchange Server. Please install those (or newer) updates to address vulnerabilities mentioned in this post. Mitigations are n...
Updated Nov 08, 2022
Version 17.0
Exchange 2013
exchange 2016
exchange 2019
security
Tuty_89's avatar
Tuty_89
Copper Contributor
Sep 30, 2022

 

Hello Everyone,

 

Based on all provided information so far, this is the correct way of setting the Rewrite Rule up, needs to be executed in an admin powershell:

 

 

import-module WebAdministration

#$site = 'iis:\sites\Default Web Site\Autodiscover'
## Update 2022.09.30. 2030 UTC (this is when I noticed :-)) the blogpost was updated again silently moving the mitigation to "top level" from just Autodiscover, so please use the below:
$site = 'iis:\sites\Default Web Site'
Add-WebConfigurationProperty -pspath $site -filter "system.webserver/rewrite/rules" -name "." -value @{name = 'CVE-2022-41040'; patternSyntax = 'Regex'; stopProcessing = 'True' }
Set-WebConfigurationProperty -pspath $site -filter "system.webserver/rewrite/rules/rule[@name='CVE-2022-41040']/match" -name url -value ".*"
Add-WebConfigurationProperty -pspath $site -filter "system.webserver/rewrite/rules/rule[@name='CVE-2022-41040']/conditions" -name "." -value @{input = "{REQUEST_URI}"; matchType = "Pattern"; pattern = '.*autodiscover\.json.*\@.*Powershell.*'; ignoreCase = 'TRUE'; negate = 'FALSE' }
Set-WebConfigurationProperty -pspath $site -filter "system.webServer/rewrite/rules/rule[@name='CVE-2022-41040']/action" -name "type" -value "CustomResponse"
Set-WebConfigurationProperty -pspath $site -filter "system.webServer/rewrite/rules/rule[@name='CVE-2022-41040']/action" -name "statusCode" -value 403
Set-WebConfigurationProperty -pspath $site -filter "system.webServer/rewrite/rules/rule[@name='CVE-2022-41040']/action" -name "statusReason" -value "Forbidden: Access is denied."
Set-WebConfigurationProperty -pspath $site -filter "system.webServer/rewrite/rules/rule[@name='CVE-2022-41040']/action" -name "statusDescription" -value "You do not have permission to view this directory or page using the credentials that you supplied."

 

 

this way the block will work as expected, and also Autodiscover will continue to work. 

 

EDIT as of 2022.09.30. 20:33 UTC: The POST changed again, now adding the block on "top" level, not just for Autodiscover, code updated.