cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 

OWA Attachments after CVE

CTechCamen
Copper Contributor

‎Mar 10 2022 12:59 PM

‎Mar 10 2022 12:59 PM

OWA Attachments after CVE

Version: Exchange 2019 CU11
Build Number: 15.02.0986.022

 

Hello All,

 

After installing CU11 around two weeks ago, I ran the HealthChecker script and discovered there were some un-patched CVE's that I needed to manually install/configure. One of them was related to creating/configuring a unique URL for attachment handling. I'm having trouble finding the Microsoft article I used to make those configuration changes to link here so I'm hoping someone will know what I'm talking about and be help me out.

 

What Broke It:

The basics were to create a new CNAME in your DNS for "download.<domain>.com" and then run a command to configure the URL to be used by exchange. Obviously I did something wrong or I missed something as I'm unable to view or download attachments from OWA at all now.

 

Symptoms and Behavior:

I am able to download attachments via Outlook without issue. I am able to see that there is an attachment in OWA and it displays accurately (meaning I'm able to tell name, file type, etc.) but neither preview nor "Save AS" work. When single clicking the attachment in OWA it tries to preview, which just opens an empty field to the left but when I click "Download", I'm redirected to

https://download.<scrubbed>.com/owa/<Email address removed>/service.svc/s/GetFileAttachment?id=AAMkADllZjNhOGY5LTAwZmItNDExOS1hOTM5LTI4ZTBiOWQwZTBiNQBGAAAAAAApfftq7ny4R5DLFHM9RryKBwCyrzpAtRprQpofwfuKuXj8AAAAAAEMAACyrzpAtRprQpofwfuKuXj8AAEui%2BpQAAABEgAQAE4XUSUzR1VDs0QOKUbFlAk%3D&X-OWA-CANARY=Bo5169ua0ESvDNpAL2u3BhDu8h3VAtoIY1E_orjk_pjk0uRXz9fQ0eSFa9NwuMuGMIhZEn8Orp4.&token=eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiIsIng1dCI6Inc3RldnUW5zZngyYW9pMllDZ0UyNGZZc3dqSSJ9.eyJ2ZXIiOiJFeGNoYW5nZS5DYWxsYmFjay5WMSIsImFwcGN0eHNlbmRlciI6Ik93YURvd25sb2FkQHplZXNlcnZlci5jb20iLCJhcHBjdHgiOiJ7XCJtc2V4Y2hwcm90XCI6XCJvd2FcIixcInByaW1hcnlzaWRcIjpcIlMtMS01LTIxLTIyNTU3NTAyMjgtMTM2MjcwNDc1Ny00MjkyNzk5NzM5LTE2MDhcIixcInB1aWRcIjpudWxsLFwib2lkXCI6XCJcIixcInNjb3BlXCI6XCJPd2FEb3dubG9hZFwifSIsImlzcyI6IjAwMDAwMDAyLTAwMDAtMGZmMS1jZTAwLTAwMDAwMDAwMDAwMEB6ZWVzZXJ2ZXIuY29tIiwiYXVkIjoiMDAwMDAwMDItMDAwMC0wZmYxLWNlMDAtMDAwMDAwMDAwMDAwL2Rvd25sb2FkLnplZXNlcnZlci5jb21AemVlc2VydmVyLmNvbSIsImV4cCI6MTY0Njk0NDk1NywibmJmIjoxNjQ2OTQ0MzU3fQ.X3xFuUexPl_W0Zl0-6NJ_rH7eANbbFmFYtvev_6q1bZIq-zaKZkjUUnT4qpVO9ydqYb-djkVpEowtpW2s81XdxJCoaX0Vnk-QqvlaZ5WKdcYgQbCnFoDcLiffG73T1nIesrljgSSVH3yomkuyCBkVQAJHlTL__HROLPQReeMlKDqskA6jlQQuTUrtsOpqSDV7m1LFebDjKmTuoS1R1WHn0a9usKMZqYQgLIKSZzX0sD0GA0re4EgNv-HMr1AMqdzTh8Sos2ZYijIooxu96ofeqd2yIiyVVnPUpAxizbVOby34vLdVKTU4bX0StlNZyWgOms_ShZDVXVFhfnR8GkwFw&owa=mail.<scrubbed>.com&isDocumentPreview=False

which displays

Not Found

HTTP Error 404. The requested resource is not found.

 

Does anyone happen to know any potential solutions or even know which vulnerability I'm talking about so I can try to reverse what I've done. I documented literally every other change I made that night but of course neglected the one that ended up mattering. Thanks in advance!

 

Labels:
3,458 Views
0 Likes
1 Reply
Reply
1 Reply
christiaan-nl

‎Mar 17 2022 05:28 AM - edited ‎Mar 17 2022 11:37 AM

‎Mar 17 2022 05:28 AM - edited ‎Mar 17 2022 11:37 AM

Re: OWA Attachments after CVE

@CTechCamen 

 

Hello! I am just being reported that we have the same issue in one of our managed environments. We run multiple Exchange environments. One of this is experiencing the same issue. On the Exchange Team Blog I wrote a reply that we have not had any issues, I had to update it with this one.

 

We have configured Download Domains way back, it all worked fine. Somehow, just after the march patch attachments are not working anymore. Either embedded imaged and attachments like zip files. They result in the error shown below. This issue is now just in one of our environments, not all.

 

I am still investigating. The issue is weird, because we run other environments, exact same setup, OS, patch level, load balancer, etc. Though I don't think Download Domains is the issue here, looks like something is broken in OWA on this environment. Will do basic tests first and if necessary recreate the OWA virtual directory. Issue doesn't look server specific btw.

 

Eventlog doesnt' throw any error or something. Usually this shows something about page errors, etc.

 

I will update you here on our findings, but please continue your own research as well.

 

christiaannl_0-1647519799157.png

 

 

Update as of now:

I have deconfigured the CVE-1730 mitigation (Download Domain Config) in one of our organizations having the issue. We have only disabled the Download Domains setting at org level. Then restarted IIS on earch server. It now works again.

 

1 > Disable Download Domains on Organization Level
PS> Set-OrganizationConfig -EnableDownloadDomains $false

 

Optional:

2 > Set the server configurations back to default (Run this against every Exchange Server in your org)

PS> Set-OwaVirtualDirectory -Identity "owa (default Web site)" -ExternalDownloadHostName $null

PS> Set-OwaVirtualDirectory -Identity "owa (default Web site)" -InternalDownloadHostName $null

 

Verify with:

Get-OwaVirtualDirectory -Server <ServerName> | fl *downloadhostname*

Get-OrganizationConfig | fl *download*

 

3 > Restart IIS / Reboot Server (Maybe first disable server in load balancer the descent way, depending on your config).

 

Next

We will work on this issue later on. We set the risk of this CVE to low in our organization as we follow the exploitation indicator for this specific one. We leave it enabled on all other organizations.

0 Likes
Reply