0-day в Microsoft Exchange (очередная уязвимость)
По словам исследователя кибербезопасности Кевина Бомонта, эти 2 уязвимости получили общее название ProxyNotShell из-за схожести формата с ProxyShell, но для эксплуатации ProxyNotShell нужна аутентификация, поэтому их невозможно исправить полностью.
Microsoft заявила, что усиленно работает над устранением недостатков. Компания также выпустила рекомендации по безопасности и скрипт для смягчения последствий перезаписи URL, который, по словам Microsoft, нарушает текущие цепочки атак.
Фактическое решение выглядит как:
October 8, 2022 updates:
a - If installed, Confirm the following entry exists in the "C:\inetpub\wwwroot\web.config". If this configuration is not present, your server is not mitigated. This may have occurred if the module was not successfully installed with a supported version for your system.
<system.webServer>
<rewrite>
<rules>
<rule name="PowerShell - inbound" stopProcessing="true">
<match url=".*" />
<conditions>
<add input="{UrlDecode:{REQUEST_URI}}" pattern="(?=.*autodiscover)(?=.*powershell)" />
</conditions>
<action type="AbortRequest" />
</rule>
</rules>
</rewrite>
</system.webServer>
UPD:
November 8, 2022 update - вышел патч - качаем обновления для сервера.
[29-09-2022]: Micrsoft published a blog post detailing mitigation and detection steps regarding the new vulnerabilities: https://msrc-blog.microsoft.com/2022/09/29/customer-guidance-for-reported-zero-day-vulnerabilities-i...
[03-10-2022]: After receiving information from Jang (@testanull), we noticed that the regex used in the Rewrite Rule could be bypassed. Exploit video PoC
GTSC team updated the new regex in the rule:
“.*autodiscover\.json.*Powershell.*”
GTSC thanks Jang for the support.
October 5, 2022 updates:
Further improvement has been made to the URL Rewrite rule mitigation. Customers should review and use one of these options:
- Option 1: The mitigation for EEMS rule has been updated and the updates will be applied automatically.
- Option 2: The mitigation for EOMTv2 has been updated.
- Option 3: The instructions and image in step 10 are updated for a Condition input change.
Added under Mitigations section that Exchange Server customers should complete both recommended mitigations.
Отключить удаленный доступ к PowerShell для пользователей, не являющихся администраторами
We strongly recommend Exchange Server customers disable remote PowerShell access for non-admin users in your organization. Guidance on how to do this for single user or multiple users is available here.