Update 11/8/2022: We have now released November 2022 Security Updates for Exchange Server. Please install those (or newer) updates to address vulnerabilities mentioned in this post. Mitigations are n...
Updated Nov 08, 2022
Version 17.0
Blog Post
2 MIN READ
Customer Guidance for Reported Zero-day Vulnerabilities in Microsoft Exchange Server
This is the current reply from https://officeclient.microsoft.com/getexchangemitigations
Looks quiet devastating because it is neither limited to /Autodiscover/ nor does it mention RegEx Syntax and it also hasn't been updated with the new pattern without the "@".
<?xml version="1.0" encoding="utf-8"?>
<EOCS version="1.0.6">
<Config id="M1" desc="Mitigation M1">
<Roles>
<Role>Mailbox</Role>
</Roles>
<ActionList>
<Action type="UrlRewrite" id="1" scope="Server" desc="Mitigation of CVE-2022-41040 via a URL Rewrite configuration.">
<Value>
<![CDATA[ <RewriteConfiguration> <type>Web</type> <path>IIS:/sites/Default Web Site</path> <section>system.webServer/rewrite/rules</section> <rules> <rule name="EEMS M1.1 PowerShell - inbound" stopProcessing="true"> <match url=".*" /> <conditions> <add input="{REQUEST_URI}" pattern=".*autodiscover\.json.*\@.*Powershell.*" /> </conditions> <action type="AbortRequest" /> </rule> </rules> </RewriteConfiguration> ]]>
</Value>
</Action>
</ActionList>
</Config>
...
<Signature ...</Signature></EOCS>