Blog Post

Exchange Team Blog
2 MIN READ

Customer Guidance for Reported Zero-day Vulnerabilities in Microsoft Exchange Server

The_Exchange_Team's avatar
The_Exchange_Team
Platinum Contributor
Sep 30, 2022
Update 11/8/2022: We have now released November 2022 Security Updates for Exchange Server. Please install those (or newer) updates to address vulnerabilities mentioned in this post. Mitigations are n...
Updated Nov 08, 2022
Version 17.0
Exchange 2013
exchange 2016
exchange 2019
security
4ppl3c0r3's avatar
4ppl3c0r3
Iron Contributor
Oct 13, 2022

AllanC4 ,

 

The current (10.13.2022) URL Rewrite mitigation:

1.) For each request against Exchange Web Front End, search for

(?=.*autodiscover)(?=.*powershell)

in the decoded request URI (which is basically the URL).

2. if found, drop the connection ("Abort Request").

 

Short Translation:

If the words "powershell" and "autodiscover" (without quotes) both appear in the same request (URI/URL), drop the connection.

 

Long Translation:

(?={pattern})

indicates to the RegEx parser to assert/expect the {pattern} to appear in the search string for a match.

When {pattern} equals:

.*autodiscover

this indicates the parser should look for:

. -> any character

* -> zero or more of them

autodiscover -> the literal string "autodiscover" (without quotes)

 

Which will match:

autodiscover
any number of characters autodiscover
blah blah blah autodiscover

 

Additionally and similarly, when {pattern} equals:

.*powershell

this indicates the parser should look for:

. -> any Character

* -> zero or more of them

powershell-> the literal string "powershell" (without quotes)

 

Which will match:

powershell
any number of characters powershell
blah blah blah powershell

 

Therefore, since there are two ?= assertions, the expectation is that both must be satisfied for a match.

 

So:

(?=.*autodiscover)(?=.*powershell)

 

Will match:

autodiscoverpowershell
powershellautodiscover
lorem ipsum autodiscover blah blah blah powershell
lorem ipsum powershell blah blah blah autodiscover
lorem ipsum autodiscover blah blah blah powershell and any trailing characters
lorem ipsum powershell blah blah blah autodiscover and any trailing characters
https://{your exchange URL}/autodiscover/autodiscover.json?@evil.com/powershell/malicious
https://{your exchange URL}/malicious/powershell/autodiscover.json?@evil.com

 

But NOT:

autodiscover
powershell
lorem ipsum autodiscover and any trailing characters
lorem ipsum powershell and any trailing characters
https://{your exchange URL}/autodiscover/autodiscover.json?@evil.com/notmalicious
https://{your exchange URL}/notmalicious/powershell/helloworld.json?@evil.com

Thank you.