CyberArm partners with Neustar Security Services to offer best-in-class DNS, application, and network security CyberArm and Neustar Security Services are pleased to announce our entrance into a strategic partnership, combining CyberARM’s industry leading Managed Security & Consulting Services with Neustar Security’s cloud-delivered security services to enable businesses to thrive online. [...]
Implement an IIS Re-Write Rule and disable Unified Messaging (UM), Exchange Control Panel (ECP) VDir, and Offline Address Book (OAB) VDir Services
Description: This mitigation will filter https requests that contain malicious X-AnonResource-Backend and malformed X-BEResource cookies which were found to be used in the SSRF attacks in the wild. This will help with defense against the known patterns observed but not the SSRF as a whole.
Note: The IIS Rewrite rules will be removed after Exchange is upgraded and the mitigation will need to be reapplied if the security patch has not been installed.
Impact: No known impact to Exchange functionality, however, limited testing has been performed.
Requirements:
Example Usage:
To apply with MSI install via PowerShell:
.\BackendCookieMitigation.ps1 -FullPathToMSI "FullLocalPathToMSI" -WebSiteNames "Default Web Site" -Verbose
PowerShell command to create IIS rewrite rule without installing the IIS rewrite module:
.\BackendCooieMitigation.ps1 -WebSiteNames "Default Web Site" -Verbose
To revert changes:
.\BackendCookieMitigation.ps1 -WebSiteNames "Default Web Site" -RollbackMitigation -Verbose
Validation: Rewrite rules can be found in C:\inetpub\wwwroot\web.config or in the IIS UI of the “Default Web Site”:
Description: Disabling the UM Service will mitigate CVE-2021-26857.
Impact to Exchange: Unified Messaging/Voicemail outage when these services are disabled.
Via Exchange Management Shell:
Set-ServerComponentState -Component UMCallRouter -Identity "ComputerName" -Requester Maintenance -State Inactive
Stop-Service MSExchangeUM
Set-Service MSExchangeUM -StartupType Disabled
Stop-Service MSExchangeUMCR
Set-Service MSExchangeUMCR -StartupType Disabled
Validation:
Get-Service MSExchangeUM
Get-Service MSExchangeUMCR
Get-ServerComponentState -Identity "ComputerName"-Component UMCallRouter | fl
Rollback:
Set-ServerComponentState -Component UMCallRouter -Identity "ComputerName" -Requester Maintenance -State Active
Set-Service MSExchangeUM -StartupType Automatic
Start-Service MSExchangeUM
Set-Service MSExchangeUMCR -StartupType Automatic
Start-Service MSExchangeUMCR
Description: Disabling ECP Virtual Directory will prevent CVE-2021-27065 from executing successfully as the API will no longer respond and return a 503 when calling the Exchange Control Panel (ECP).
Impact to Exchange: Exchange Control Panel will be offline and return a 503. All Exchange Administration can be done via Remote PowerShell while the Exchange Control Panel is disabled.
Via Exchange Management Shell:
Set-ServerComponentState -Component EcpProxy -Identity "ComputerName" -Requester Maintenance -State Inactive
Import-module WebAdministration
$AppPoolName = "MSExchangeECPAppPool"
$AppPool = Get-Item IIS:\AppPools\$AppPoolName
$AppPool.startMode = "OnDemand"
$AppPool | Set-Item -Verbose
Stop-WebAppPool -Name $AppPoolName
Validation: Confirm the App Pool is stopped in IIS.
Get-WebAppPoolState -Name "MSExchangeECPAppPool"
Confirm Server Component State EcpProxy is Inactive:
Get-ServerComponentState -Component EcpProxy -Identity "ComputerName" | fl
Browse to https://127.0.0.1/ecp from the Exchange server:
Rollback:
Set-ServerComponentState -Component EcpProxy -Identity “ComputerName” -Requester Maintenance -State Active
Import-module WebAdministration
$AppPoolName = “MSExchangeECPAppPool”
$AppPool = Get-Item IIS:\AppPools\$AppPoolName
$AppPool.startMode = “OnDemand”
$AppPool | Set-Item -Verbose
Start-WebAppPool -Name MSExchangeECPAppPool
Get-WebAppPoolState -Name “MSExchangeECPAppPool”
Get-ServerComponentState -Component EcpProxy -Identity “ComputerName” | fl
Description: Disabling OAB Application Pool will prevent CVE-2021-26858 from executing successfully as the API will no longer respond and return a 503 when calling OAB, which will mitigate the Arbitrary Write exploit that occurs with OAB. After stopping the WebApp Pool you will also need to set the OabProxy Server Component state to InActive.
Impact to Exchange: Calls to OAB will fail and return a 503 error. Downloads of the Offline Address Book by Outlook clients will fail which may result in stale address book results in some scenarios and configurations.
Via Exchange Management Shell:
Set-ServerComponentState -Component OabProxy -Identity "ComputerName" -Requester Maintenance -State Inactive
Import-module WebAdministration
$AppPoolName = "MSExchangeOABAppPool"
$AppPool = Get-Item IIS:\AppPools\$AppPoolName
$AppPool.startMode = "OnDemand"
$AppPool | Set-Item -Verbose
Stop-WebAppPool -Name MSExchangeOABAppPool
Validation:
Confirm IIS App Pool is stopped:
Get-WebAppPoolState -Name "MSExchangeOABAppPool"
Confirm Server Component State OabProxy is Inactive:
Get-ServerComponentState -Component OabProxy -Identity "ComputerName" | fl
Rollback:
Set-ServerComponentState -Component OabProxy -Identity "ComputerName" -Requester Maintenance -State Active
Import-module WebAdministration
$AppPoolName = "MSExchangeOABAppPool"
$AppPool = Get-Item IIS:\AppPools\$AppPoolName
$AppPool.startMode = "OnDemand"
$AppPool | Set-Item –Verbose
Start-WebAppPool -Name MSExchangeOABAppPool
Get-WebAppPoolState -Name "MSExchangeOABAppPool"
Get-ServerComponentState -Component OabProxy -Identity "ComputerName"| fl
Detects whether the specified URL is vulnerable to the Exchange Server SSRF Vulnerability (CVE-2021-26855). This can be used to validate patch and mitigation state of exposed servers.
Download from: CSS-Exchange/http-vuln-cve2021-26855.nse at main · microsoft/CSS-Exchange (github.com)
Installation on Windows:
Add to the following directory:C:\Program Files (x86)\Nmap\scripts
Run the following to add the script to nmap:nmap --script-updatedb
Example Usage:
Nmap -Pn -p T:443 --script http-vuln-cve2021-26855 IP
Note: This Alert was updated by our security researchers on March 4, 2021 to provide further guidance. CyberARM has observed active exploitation of vulnerabilities in Microsoft Exchange Server products. Successful exploitation ...
