Update 11/8/2022: We have now released November 2022 Security Updates for Exchange Server. Please install those (or newer) updates to address vulnerabilities mentioned in this post. Mitigations are n...
Updated Nov 08, 2022
Version 17.0
Blog Post
2 MIN READ
Customer Guidance for Reported Zero-day Vulnerabilities in Microsoft Exchange Server
Microsoft, it's been tough keeping up, but I realize the situation is very fluid. Some of us still have shell shock from Hafnium/ProxyShell/March'21 and a more detailed change log might help.
I too see that the "How to block" action has been changed to "Abort Request." In which case, my prior post regarding testing the mitigation is now deprecated and obsolete, following Microsoft's guidance.
To those asking about testing:
The mitigation instructions are designed simply to return an HTTP error 403 (Forbidden) result when the URL Rewrite pattern is matched.
Therefore, if you see ANYTHING other than HTTP ERROR 403 when you browse to https://yourexchangeurl/autodiscover.json@notreallyevilpowershell (or even https://yourexchangeurl/autodiscover.jsonatnotneededevilpowershell now...) then your filters are not setup properly.
HTTP 403 (Forbidden) = GOODANYTHING ELSE = BAD
With "Abort Request" instead of "Send an HTTP 403 (Forbidden) Response," I revise my how-to-test as follows:
To those asking about testing:
The mitigation instructions are designed simply to drop the connection when the URL Rewrite pattern is matched.
Therefore, if you see ANYTHING... when you browse to https://yourexchangeurl/autodiscover.json@notreallyevilpowershell (or even https://yourexchangeurl/autodiscover.jsonatnotneededevilpowershell now...) then your filters are not setup properly.
- Unresponsive web page/"ERR_CONNECTION_RESET"/"PR_CONNECT_RESET_ERROR"/"The connection was reset."/etc = GOOD
- ANYTHING ELSE = BAD
Thank you.