Microsoft on Friday disclosed Further improvements have been made to the mitigations provided as a means of preventing exploitation attempts for newly disclosed, unpatched security flaws in Exchange Server.
To that end, the tech giant changed the blocking rule in IIS Manager from “.*autodiscover\.json.*Powershell.*” to “(?=.*autodiscover\.json)(?=.*powershell)” .
Below is a list of updated instructions for adding URL rewrite rules.
- Open IIS Manager
- Select Default Web Site
- In function view,[URL 書き換え]Click.
- Right[アクション]in the window,[ルールの追加…]Click.
- [リクエストのブロック]and select[OK]Click.
- Add the string “(?=.*autodiscover\.json)(?=.*powershell)” (without the quotes)
- [使用]and[正規表現]Choose
- [ブロック方法]and[リクエストの中止]and select[OK]Click.
- Expand Rules, select the rule with the pattern (?=.*autodiscover\.json)(?=.*powershell),[条件]and[編集]Click.
- Change the condition input from {URL} to {UrlDecode:{REQUEST_URI}} and[OK]Click.
Alternatively, you can use the PowerShell-based Exchange On-Premises Mitigation Tool (EOMTv2.ps1), updated to take into account the aforementioned URL patterns.
of Actively Exploited IssuesCalled ProxyNotShell (CVE-2022-41040 and CVE-2022-41082).
Successful weaponization of the flaw could allow an authenticated attacker to chain two vulnerabilities together to achieve remote code execution on the underlying server.
The tech giant said last week that this shortcoming could have been exploited by a single state-sponsored attacker in limited, targeted attacks against fewer than 10 organizations worldwide starting in August 2022. I admit there is.
