MICROSOFT on Friday disclosed it has made more improvements to the mitigation method offered as a means to prevent exploitation attempts against the newly disclosed unpatched security flaws in MICROSOFT EXCHANGE SERVER.
To that end, the tech giant has revised the blocking rule in IIS Manager from ".autodiscover.json.Powershell." to "(?=.autodiscover.json)(?=.*powershell)."
The list of updated steps to add the URL Rewrite rule is below -
Open IIS Manager
Select Default Web Site
In the Feature View, click URL Rewrite
In the Actions pane on the right-hand side, click Add Rule(s)… Select Request Blocking and click OK
Add the string "(?=.autodiscover.json)(?=.powershell)" (excluding quotes)
Select Regular Expression under Using
Select Abort Request under How to block and then click OK
Expand the rule and select the rule with the pattern: (?=.autodiscover.json)(?=.powershell) and click Edit under Conditions Change the Condition input from {URL} to {UrlDecode:{REQUEST_URI}} and then click OK
Alternatively, users can achieve the desired protections by executing a PowerShell-based Exchange On-premises Mitigation Tool (EOMTv2.ps1), which has also been updated to take into account the aforementioned URL pattern.
The actively-exploited issues, called ProxyNotShell (CVE-2022-41040 and CVE-2022-41082), are yet to be addressed by Microsoft, although with Patch Tuesday right around the corner, the wait may not be for long.
Successful weaponization of the flaws could enable an authenticated attacker to chain the two vulnerabilities to achieve remote code execution on the underlying server.
FOR MORE TIPS AND GUIDANCE