Microsoft on Friday disclosed Further improvements have been made to the mitigations provided as a means of preventing exploitation attempts for newly disclosed, unpatched security flaws in Exchange Server.
To that end, the tech giant changed the blocking rule in IIS Manager from “.*autodiscover\.json.*Powershell.*” to “(?=.*autodiscover\.json)(?=.*powershell)” .
Below is a list of updated instructions for adding URL rewrite rules.
- Open IIS Manager
- Select Default Web Site
- In function view,[URL ๆธใๆใ]Click.
- Right[ใขใฏใทใงใณ]in the window,[ใซใผใซใฎ่ฟฝๅ โฆ]Click.
- [ใชใฏใจในใใฎใใญใใฏ]and select[OK]Click.
- Add the string “(?=.*autodiscover\.json)(?=.*powershell)” (without the quotes)
- [ไฝฟ็จ]and[ๆญฃ่ฆ่กจ็พ]Choose
- [ใใญใใฏๆนๆณ]and[ใชใฏใจในใใฎไธญๆญข]and select[OK]Click.
- Expand Rules, select the rule with the pattern (?=.*autodiscover\.json)(?=.*powershell),[ๆกไปถ]and[็ทจ้]Click.
- Change the condition input from {URL} to {UrlDecode:{REQUEST_URI}} and[OK]Click.
Alternatively, you can use the PowerShell-based Exchange On-Premises Mitigation Tool (EOMTv2.ps1), updated to take into account the aforementioned URL patterns.
of Actively Exploited IssuesCalled ProxyNotShell (CVE-2022-41040 and CVE-2022-41082).
Successful weaponization of the flaw could allow an authenticated attacker to chain two vulnerabilities together to achieve remote code execution on the underlying server.
The tech giant said last week that this shortcoming could have been exploited by a single state-sponsored attacker in limited, targeted attacks against fewer than 10 organizations worldwide starting in August 2022. I admit there is.
