Update 11/8/2022: We have now released November 2022 Security Updates for Exchange Server. Please install those (or newer) updates to address vulnerabilities mentioned in this post. Mitigations are n...
Updated Nov 08, 2022
Version 17.0
Blog Post
2 MIN READ
Customer Guidance for Reported Zero-day Vulnerabilities in Microsoft Exchange Server
Good grief, from Marco... and J_T...; per GTSC, the RegEx pattern has changed to:
.*autodiscover\.json.*Powershell.*
and GTSC seems to have the receipts: Microsoft Exchange mitigations bypass CVE-2022-41040, CVE-2022-41082 - YouTube.
Regardless, again, due to the nature of Regular Expressions, the new pattern will widen the scope of protection since it will also match everything the old pattern (.*autodiscover\.json.*\@.*Powershell.*) matched.
I have personally updated my environment.
To those asking about testing:
The mitigation instructions are designed simply to return an HTTP error 403 (Forbidden) result when the URL Rewrite pattern is matched.
Therefore, if you see ANYTHING other than HTTP ERROR 403 when you browse to https://yourexchangeurl/autodiscover.json@notreallyevilpowershell (or even https://yourexchangeurl/autodiscover.jsonatnotneededevilpowershell now...) then your filters are not setup properly.
- HTTP 403 (Forbidden) = GOOD
- ANYTHING ELSE = BAD