Các bài viết liên quan:
On Friday, Microsoft revealed that they have made more improvements to the mitigation method provided as a means of preventing exploit attempts against newly disclosed unpatched security flaws in Exchange Server.
So the tech giant modified the blocking rule in IIS Manager from “. * Autodiscover \ .json. * Powershell. *” to “(? =. * Autodiscover \ .json) (? =. * Powershell).”
Here is an updated list of steps to add a URL Rewrite rule:
Open IIS Manager Select Default Site In Features View, click Rewrite URL In the Actions pane on the right side, click Add Rule(s)… Select Request Blocking and click OK Add String” (? =. * Autodiscover \ .json) (? =. * powershell) “(excluding quotes) Select Regular Expression in Use Select Cancel Request in How to intercept and then click OK Expand Process rule and select the rule with the pattern: (?=. * autodiscover \. json) (?=. * powershell) and click Edit under Condition Change the Condition input from {URL} to {UrlDecode: {REQUEST_URI} } and then click OK
Additionally, users can achieve the desired protections by implementing the PowerShell-based On-Premise Exchange Mitigation Tool (EOMTv2.ps1), which has also been updated to take into account the aforementioned URL pattern.
Actively exploited problems, known as ProxyNotShell (CVE-2022-41040 and CVE-2022-41082), still unresolved by Microsoft, although with Release third patch coming soon, the wait may not be long.
Successful weaponization of the vulnerabilities could allow an authenticated attacker to chain the two vulnerabilities to execute code remotely on the underlying server.
The tech giant, last week, acknowledged that the flaws could have been abused by a single state-sponsored threat actor since August 2022 in limited targeted attacks. It targets fewer than 10 organizations worldwide.
