Note: this post is getting frequent updates; please keep checking back. Last update: 3/19/2021
Microsoft has released a set of out of band security updates for vulnerabilities for the following ver...
Updated Mar 19, 2021
Version 44.0
Blog Post
Similar here.
Source: MSExchange Front End HTTP Proxy
[Owa] An internal server error occurred. The unhandled exception was: System.ArgumentException: Invalid input value
Parameter name: input
at Microsoft.Exchange.Data.ApplicationLogic.Cafe.BackEndServer.FromString(String input)
at Microsoft.Exchange.HttpProxy.OwaResourceProxyRequestHandler.ResolveAnchorMailbox()
at Microsoft.Exchange.HttpProxy.ProxyRequestHandler.InternalBeginCalculateTargetBackEnd(AnchorMailbox& anchorMailbox)
at Microsoft.Exchange.HttpProxy.ProxyRequestHandler.<BeginCalculateTargetBackEnd>b__280_0()
at Microsoft.Exchange.Common.IL.ILUtil.DoTryFilterCatch(Action tryDelegate, Func`2 filterDelegate, Action`1 catchDelegate)
Source: ASP.NET 4.0.30319.0
Event code: 3005
Event message: An unhandled exception has occurred.
Event time: 3/8/2021 5:33:57 AM
Event time (UTC): 3/8/2021 1:33:57 PM
Event ID: 049c535e9be849829a634bccfc74e4ea
Event sequence: 5
Event occurrence: 4
Event detail code: 0
Application information:
Application domain: /LM/W3SVC/1/ROOT/owa-1-132593003067932026
Trust level: Full
Application Virtual Path: /owa
Application Path: C:\Program Files\Microsoft\Exchange Server\V15\FrontEnd\HttpProxy\owa\
Machine name: EXCH
Process information:
Process ID: 12956
Process name: w3wp.exe
Account name: NT AUTHORITY\SYSTEM
Exception information:
Exception type: ArgumentException
Exception message: Invalid input value
Parameter name: input
at Microsoft.Exchange.Data.ApplicationLogic.Cafe.BackEndServer.FromString(String input)
at Microsoft.Exchange.HttpProxy.OwaResourceProxyRequestHandler.ResolveAnchorMailbox()
at Microsoft.Exchange.HttpProxy.ProxyRequestHandler.InternalBeginCalculateTargetBackEnd(AnchorMailbox& anchorMailbox)
at Microsoft.Exchange.HttpProxy.ProxyRequestHandler.<BeginCalculateTargetBackEnd>b__280_0()
at Microsoft.Exchange.Common.IL.ILUtil.DoTryFilterCatch(Action tryDelegate, Func`2 filterDelegate, Action`1 catchDelegate)
at Microsoft.Exchange.HttpProxy.ProxyRequestHandler.CallThreadEntranceMethod(Action method)
Request information:
Request URL: https://public_ip:443/owa/auth/x.js
Request path: /owa/auth/x.js
User host address: 35.244.82.13
User:
Is authenticated: False
Authentication Type:
Thread account name: NT AUTHORITY\SYSTEM
Thread information:
Thread ID: 7
Thread account name: NT AUTHORITY\SYSTEM
Is impersonating: False
Stack trace: at Microsoft.Exchange.Data.ApplicationLogic.Cafe.BackEndServer.FromString(String input)
at Microsoft.Exchange.HttpProxy.OwaResourceProxyRequestHandler.ResolveAnchorMailbox()
at Microsoft.Exchange.HttpProxy.ProxyRequestHandler.InternalBeginCalculateTargetBackEnd(AnchorMailbox& anchorMailbox)
at Microsoft.Exchange.HttpProxy.ProxyRequestHandler.<BeginCalculateTargetBackEnd>b__280_0()
at Microsoft.Exchange.Common.IL.ILUtil.DoTryFilterCatch(Action tryDelegate, Func`2 filterDelegate, Action`1 catchDelegate)
at Microsoft.Exchange.HttpProxy.ProxyRequestHandler.CallThreadEntranceMethod(Action method)
Custom event details:
Matching event in \Logging\HttpProxy\Owa HttpProxy_2021030813-1.LOG
2021-03-08T13:33:57.477Z,8b72ab0b-1b16-46cf-b84e-48d6cbfa7b45,15,1,2176,9,,Owa,public_ip,/owa/auth/x.js,,FBA,false,,,,Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML like Gecko) Chrome/88.0.4324.182 Safari/537.36 Edg/88.0.705.81,35.244.82.13,EXCH,302,,,GET,,,,,X-AnonResource-Backend-Cookie,,,,0,,,,0,,,0,,0,,0,0,,0,106,0,,,,,,,,,0,104,2,,106,,106,106,,,,BeginRequest=2021-03-08T13:33:57.371Z;CorrelationID=<empty>;ProxyState-Run=None;ProxyState-Complete=CalculateBackEnd;SharedCacheGuard=0;EndRequest=2021-03-08T13:33:57.477Z;,UnexpectedException=System.ArgumentException: Invalid input value Parameter name: input at Microsoft.Exchange.Data.ApplicationLogic.Cafe.BackEndServer.FromString(String input) at Microsoft.Exchange.HttpProxy.OwaResourceProxyRequestHandler.ResolveAnchorMailbox() at Microsoft.Exchange.HttpProxy.ProxyRequestHandler.InternalBeginCalculateTargetBackEnd(AnchorMailbox& anchorMailbox) at Microsoft.Exchange.HttpProxy.ProxyRequestHandler.<BeginCalculateTargetBackEnd>b__280_0() at Microsoft.Exchange.Common.IL.ILUtil.DoTryFilterCatch(Action tryDelegate Func`2 filterDelegate Action`1 catchDelegate) at Microsoft.Exchange.HttpProxy.ProxyRequestHandler.CallThreadEntranceMethod(Action method);,,,,,
and
2021-03-06T15:31:05.660Z,16a4dee4-37b2-430f-8df4-3bc228d55faf,15,1,2176,9,,Owa,mail.example.com,/owa/auth/x.js,,FBA,false,,,,Mozilla/5.0 (compatible; Nmap Scripting Engine; https://nmap.org/book/nse.html),104.225.219.16,EXCH,302,,,GET,,,,,X-AnonResource-Backend-Cookie,,,,0,,,,0,,,0,,0,,0,0,,0,156,0,,,,,,,,,1,138,18,,156,,156,156,,,,BeginRequest=2021-03-06T15:31:05.503Z;CorrelationID=<empty>;ProxyState-Run=None;ProxyState-Complete=CalculateBackEnd;SharedCacheGuard=0;EndRequest=2021-03-06T15:31:05.660Z;,UnexpectedException=System.ArgumentException: Invalid input value Parameter name: input at Microsoft.Exchange.Data.ApplicationLogic.Cafe.BackEndServer.FromString(String input) at Microsoft.Exchange.HttpProxy.OwaResourceProxyRequestHandler.ResolveAnchorMailbox() at Microsoft.Exchange.HttpProxy.ProxyRequestHandler.InternalBeginCalculateTargetBackEnd(AnchorMailbox& anchorMailbox) at Microsoft.Exchange.HttpProxy.ProxyRequestHandler.<BeginCalculateTargetBackEnd>b__280_0() at Microsoft.Exchange.Common.IL.ILUtil.DoTryFilterCatch(Action tryDelegate Func`2 filterDelegate Action`1 catchDelegate) at Microsoft.Exchange.HttpProxy.ProxyRequestHandler.CallThreadEntranceMethod(Action method);,,,,,
Is this some kind of new exploit?