After further information has become available we have revised our manual mitigation advisory and updated the post:
A recent vulnerability found in Microsoft Exchange Server, assigned CVE-2021-26855. The vulnerability allows the server to be induced into performing unintended actions (Server Side Request Forgery aka SSRF). By sending a specially crafted request to the application, the server can be used to conduct host-based attacks.
Vulnerability name: CVE-2021-26855: Microsoft Exchange Server HAFNIUM SSRF
Vulnerability description: Microsoft Exchange Server contains a flaw related to request handling between a user and a server, where the server can be induced into performing unintended actions (Server Side Request Forgery). Mitigation prevents the chained exploitation of: CVE-2021-26857, CVE-2021-26858, and CVE-2021-26865.
Please note that Cloud WAF customers and On-Prem customers that have “SecureSphere Emergency Feed” (THR feeds) are already protected OOTB.
Below are manual mitigation steps to address Exchange Server HAFNIUM SSRF Exploitation (for On-Prem customers):
Create, and apply a new web service custom policy with the following match criteria:
HTTP Request
Operation: Match Any
- Part: Url
- Match Operation: Includes
- Value: /owa/
- Part: Url
- Match Operation: Includes
- Value: /ecp/
HTTP Request
Operation: Match Any
- Part: Header
- Name: “Cookie”,
- Operation: “Matches Regular Expression”,
- Value: “X-BEResource=.{1,100}\/.{1,100}~”
- Part: Header
- Name: “Cookie”
- Operation: “Matches Regular Expression”
- Value: “X-AnonResource-Backend=.{1,100}\/.{1,100}~”
#On-PremisesWAF(formerlySecuresphere)