Microsoft Issues Improved Mitigations for Unpatched Exchange Server Vulnerabilities

Microsoft on Friday disclosed^[1]
it has made more improvements to the mitigation method^[2]
offered as a means to prevent exploitation attempts against the
newly disclosed unpatched security flaws in Exchange Server.

To that end, the tech giant has revised the blocking rule in IIS
Manager from “.*autodiscover\.json.*Powershell.*” to
“(?=.*autodiscover\.json)(?=.*powershell).”

The list of updated steps to add the URL Rewrite rule is below
–

• Open IIS Manager
• Select Default Web Site
• In the Feature View, click URL Rewrite
• In the Actions pane on the right-hand side, click Add
  Rule(s)…
• Select Request Blocking and click OK
• Add the string “(?=.*autodiscover\.json)(?=.*powershell)”
  (excluding quotes)
• Select Regular Expression under Using
• Select Abort Request under How to block and then click OK
• Expand the rule and select the rule with the pattern:
  (?=.*autodiscover\.json)(?=.*powershell) and click Edit under
  Conditions
• Change the Condition input from {URL} to
  {UrlDecode:{REQUEST_URI}} and then click OK

Alternatively, users can achieve the desired protections by
executing a PowerShell-based Exchange On-premises Mitigation Tool
(EOMTv2.ps1^[3]), which has also been
updated to take into account the aforementioned URL pattern.

The actively-exploited issues^[4], called ProxyNotShell
(CVE-2022-41040 and CVE-2022-41082), are yet to be addressed by
Microsoft, although with Patch Tuesday right around the corner, the
wait may not be for long.

Successful weaponization of the flaws could enable an
authenticated attacker to chain the two vulnerabilities to achieve
remote code execution on the underlying server.

The tech giant, last week, acknowledged^[5]
that the shortcomings may have been abused by a single
state-sponsored threat actor since August 2022 in limited targeted
attacks aimed at less than 10 organizations worldwide.