Blog Viewer

Manual Mitigation for CVE-2021-26855: Microsoft Exchange Server

By Patrick Mccrudden(csp) posted 03-05-2021 05:51

  

After further information has become available we have revised our manual mitigation advisory and updated the post:

 

A recent vulnerability found in Microsoft Exchange Server, assigned CVE-2021-26855. The vulnerability allows the server to be induced into performing unintended actions (Server Side Request Forgery aka SSRF). By sending a specially crafted request to the application, the server can be used to conduct host-based attacks.

 

Vulnerability name: CVE-2021-26855: Microsoft Exchange Server HAFNIUM SSRF

 

Vulnerability description: Microsoft Exchange Server contains a flaw related to request handling between a user and a server, where the server can be induced into performing unintended actions (Server Side Request Forgery). Mitigation prevents the chained exploitation of: CVE-2021-26857, CVE-2021-26858, and CVE-2021-26865.

Please note that Cloud WAF customers and On-Prem customers that have “SecureSphere Emergency Feed” (THR feeds) are already protected OOTB.
 

Below are manual mitigation steps to address Exchange Server HAFNIUM SSRF Exploitation (for On-Prem customers):

 

Create, and apply a new web service custom policy with the following match criteria:

 

HTTP Request

Operation: Match Any

  • Part: Url
  • Match Operation: Includes
  • Value: /owa/

 

  • Part: Url
  • Match Operation: Includes
  • Value: /ecp/

 

HTTP Request

Operation: Match Any

  • Part: Header
  • Name: “Cookie”, 
  • Operation: “Matches Regular Expression”, 
  • Value: “X-BEResource=.{1,100}\/.{1,100}~”

 

  • Part: Header
  • Name: “Cookie”
  • Operation: “Matches Regular Expression”
  • Value: “X-AnonResource-Backend=.{1,100}\/.{1,100}~”

#On-PremisesWAF(formerlySecuresphere)
1 comment
575 views

Permalink

Comments

03-05-2021 12:21

Thanks Patrick!