emailUNDER ATTACK? helpme@cyber-arm.com

Top Categories

Spotlight

todayMarch 27, 2021

Data Protection CyberArm Team

avoid dlp Deployment drawbacks

How to ensure having an effective DLP implementation? Protecting digital assets and intellectual property (IP) is becoming increasingly challenging for organizations. Recent studies describe external hacking as the primary cause of data loss in the corporate world; however, organizations have few mechanisms to assess and report data losses through internal [...]

Top Voted
Sorry, there is nothing for the moment.

Interim mitigations if unable to patch Exchange Server 2013, 2016, and 2019

Vulnerability Mitigation CyberArm Team todayMarch 6, 2021 98 5

Background
share close

Implement an IIS Re-Write Rule and disable Unified Messaging (UM), Exchange Control Panel (ECP) VDir, and Offline Address Book (OAB) VDir Services

  • These mitigations have some known impact to functionality described below in detail.
  • These mitigations are effective against the attacks we have seen so far in the wild but are not guaranteed to be complete mitigations for all possible exploitation of these vulnerabilities.
  • This will not evict an adversary who has already compromised a server.
  • This should only be used as a temporary mitigation until Exchange servers can be fully patched.

IIS Re-Write rule – CVE-2021-26855

Description: This mitigation will filter https requests that contain malicious X-AnonResource-Backend and malformed X-BEResource cookies which were found to be used in the SSRF attacks in the wild. This will help with defense against the known patterns observed but not the SSRF as a whole.

Note: The IIS Rewrite rules will be removed after Exchange is upgraded and the mitigation will need to be reapplied if the security patch has not been installed.

Impact: No known impact to Exchange functionality, however, limited testing has been performed.

Requirements:

Example Usage:

To apply with MSI install via PowerShell:

.\BackendCookieMitigation.ps1 -FullPathToMSI "FullLocalPathToMSI" -WebSiteNames "Default Web Site" -Verbose

PowerShell command to create IIS rewrite rule without installing the IIS rewrite module:

.\BackendCooieMitigation.ps1 -WebSiteNames "Default Web Site" -Verbose

To revert changes:

.\BackendCookieMitigation.ps1 -WebSiteNames "Default Web Site" -RollbackMitigation -Verbose

Validation: Rewrite rules can be found in C:\inetpub\wwwroot\web.config or in the IIS UI of the “Default Web Site”:


Disable UM Services – CVE-2021-26857

Description: Disabling the UM Service will mitigate CVE-2021-26857.

Impact to Exchange: Unified Messaging/Voicemail outage when these services are disabled.

Via Exchange Management Shell:

Set-ServerComponentState -Component UMCallRouter -Identity "ComputerName" -Requester Maintenance -State Inactive
Stop-Service MSExchangeUM
Set-Service MSExchangeUM -StartupType Disabled
Stop-Service MSExchangeUMCR
Set-Service MSExchangeUMCR -StartupType Disabled

Validation:

Get-Service MSExchangeUM
Get-Service MSExchangeUMCR
Get-ServerComponentState -Identity "ComputerName"
 -Component UMCallRouter | fl

Rollback:

Set-ServerComponentState -Component UMCallRouter -Identity "ComputerName" -Requester Maintenance -State Active
Set-Service MSExchangeUM -StartupType Automatic
Start-Service MSExchangeUM
Set-Service MSExchangeUMCR -StartupType Automatic
Start-Service MSExchangeUMCR

Disable ECP Application Pool- CVE-2021-27065

Description: Disabling ECP Virtual Directory will prevent CVE-2021-27065 from executing successfully as the API will no longer respond and return a 503 when calling the Exchange Control Panel (ECP).

Impact to Exchange: Exchange Control Panel will be offline and return a 503. All Exchange Administration can be done via Remote PowerShell while the Exchange Control Panel is disabled.

Via Exchange Management Shell:

Set-ServerComponentState -Component EcpProxy -Identity "ComputerName" -Requester Maintenance -State Inactive
Import-module WebAdministration
$AppPoolName = "MSExchangeECPAppPool"
$AppPool = Get-Item IIS:\AppPools\$AppPoolName
$AppPool.startMode = "OnDemand"
$AppPool | Set-Item -Verbose
Stop-WebAppPool -Name $AppPoolName

Validation: Confirm the App Pool is stopped in IIS.

Get-WebAppPoolState -Name "MSExchangeECPAppPool"

Confirm Server Component State EcpProxy is Inactive:

Get-ServerComponentState -Component EcpProxy -Identity "ComputerName" | fl

Browse to https://127.0.0.1/ecp from the Exchange server:

Rollback:

Set-ServerComponentState -Component EcpProxy -Identity “ComputerName” -Requester Maintenance -State Active
Import-module WebAdministration
$AppPoolName = “MSExchangeECPAppPool”
$AppPool = Get-Item IIS:\AppPools\$AppPoolName
$AppPool.startMode = “OnDemand”
$AppPool | Set-Item -Verbose
Start-WebAppPool -Name MSExchangeECPAppPool
Get-WebAppPoolState -Name “MSExchangeECPAppPool”
Get-ServerComponentState -Component EcpProxy -Identity “ComputerName” | fl

Disable OAB Application Pool – CVE-2021-26858

Description: Disabling OAB Application Pool will prevent CVE-2021-26858 from executing successfully as the API will no longer respond and return a 503 when calling OAB, which will mitigate the Arbitrary Write exploit that occurs with OAB. After stopping the WebApp Pool you will also need to set the OabProxy Server Component state to InActive.

Impact to Exchange: Calls to OAB will fail and return a 503 error. Downloads of the Offline Address Book by Outlook clients will fail which may result in stale address book results in some scenarios and configurations.

Via Exchange Management Shell:

Set-ServerComponentState -Component OabProxy -Identity "ComputerName" -Requester Maintenance -State Inactive
Import-module WebAdministration
$AppPoolName = "MSExchangeOABAppPool"
$AppPool = Get-Item IIS:\AppPools\$AppPoolName
$AppPool.startMode = "OnDemand"
$AppPool | Set-Item -Verbose
Stop-WebAppPool -Name MSExchangeOABAppPool

Validation:

Confirm IIS App Pool is stopped:

Get-WebAppPoolState -Name "MSExchangeOABAppPool"

Confirm Server Component State OabProxy is Inactive:

Get-ServerComponentState -Component OabProxy  -Identity "ComputerName" | fl

Rollback:

Set-ServerComponentState -Component OabProxy -Identity "ComputerName" -Requester Maintenance -State Active
Import-module WebAdministration
$AppPoolName = "MSExchangeOABAppPool"
$AppPool = Get-Item IIS:\AppPools\$AppPoolName
$AppPool.startMode = "OnDemand"
$AppPool | Set-Item –Verbose
Start-WebAppPool -Name MSExchangeOABAppPool
Get-WebAppPoolState -Name "MSExchangeOABAppPool"
Get-ServerComponentState -Component OabProxy -Identity "ComputerName"
 | fl

Nmap Script To Scan For CVE-2021-26855

Detects whether the specified URL is vulnerable to the Exchange Server SSRF Vulnerability (CVE-2021-26855). This can be used to validate patch and mitigation state of exposed servers.

Download from: CSS-Exchange/http-vuln-cve2021-26855.nse at main · microsoft/CSS-Exchange (github.com)

Installation on Windows:

Add to the following directory:
C:\Program Files (x86)\Nmap\scripts
Run the following to add the script to nmap:
nmap --script-updatedb

Example Usage:

Nmap -Pn -p T:443 --script http-vuln-cve2021-26855 IP

Written by: CyberArm Team

Rate it
Previous post