- What’s your ENow AppGov Score? Free Microsoft Entra ID app security assessment - Thu, Nov 30 2023
- Docker logs tail: Troubleshoot Docker containers with real-time logging - Wed, Sep 13 2023
- dsregcmd: Troubleshoot and manage Azure Active Directory (Microsoft Entra ID) joined devices - Thu, Aug 31 2023
Early in March 2021, four zero-day Exchange Server vulnerabilities were disclosed for on-premises Exchange Server versions, including Exchange 2013, 2016, and 2019. What is worse, the vulnerabilities have been actively exploited by nation-state threat actors in a large-scale attack against organizations running these versions. Microsoft has released emergency patches to mitigate the vulnerabilities. Recently, they also released a "one-click" Microsoft Exchange On-Premises Mitigation Tool—March 2021 to help customers apply the necessary mitigations.
What are the zero-day vulnerabilities found regarding on-premises Exchange? How does the new one-click Microsoft Exchange On-Premises Mitigation Tool help with applying patches to the on-premises Exchange Server? Let's look at this new tool and see how it works.
On-premises Exchange Server vulnerabilities
The on-premises Exchange vulnerabilities made headlines in March 2021 with four very high-profile vulnerabilities to note with Exchange 2013, 2016, and 2019. While Exchange 2010 is not directly affected by the vulnerabilities, Microsoft has also released patches for Exchange 2010 for what it refers to as a "defense in depth" patch. First, what are the four zero-day vulnerabilities found in the on-premises Exchange Server versions and the corresponding CVEs?
- CVE-2021-26855: This vulnerability comprises a server-side request forgery (SSRF) vulnerability in Exchange, allowing the attacker to send arbitrary HTTP requests and authenticate as the Exchange Server. The CVS score for this vulnerability is CVSS 9.1.
- CVE-2021-26857: There exists an insecure deserialization vulnerability in the Unified Messaging service. Insecure deserialization is where a program deserializes untrusted user-controllable data. Exploiting this vulnerability enables running malicious code as the SYSTEM user on the Exchange Server. This requires administrator permission or another vulnerability to exploit. The CVS score for this vulnerability is CVSS 7.8.
- CVE-2021-26858: This is a post-authentication arbitrary file write vulnerability to write to paths. The CVS score for this vulnerability is CVSS 7.8.
- CVE-2021-27065: By authenticating with an Exchange Server, an attacker can use this vulnerability to write a file to any path on the server. The attacker could authenticate by exploiting the CVE-2021-26855 SSRF vulnerability or by compromising a legitimate admin's credentials. The CVS score for this vulnerability is CVSS 7.8.
Recommended actions from Microsoft
The current recommendation from Microsoft is that organizations update their on-premises Exchange Servers as quickly as possible as they have released updates that mitigate the vulnerabilities as part of the above CVEs. However, there may be organizations that have little or no on-site IT staff, or companies that do not have a maintenance window for a period of time.
Microsoft realizes the conundrum that many businesses are finding with the current zero-day patches and the challenge of patching their on-premises Exchange Servers. With this being the case, Microsoft has been steadily releasing PowerShell scripts to help put mitigations in place against the vulnerabilities until the servers can be properly patched. This culminated with the release of the Exchange On-Premises Mitigation Tool (EOMT). Microsoft now recommends the EOMT over the previously released PowerShell scripts to put the mitigations in place. What is the EOMT? How do businesses use it to ensure their unpatched Exchange Servers have the mitigations in place to protect against this latest threat to on-premises Exchange Server hosts?
The EOMT is a fully automated "one-click" approach to configuring the recommended mitigations for the zero-day vulnerabilities and also scans Exchange Server with the Microsoft Safety Scanner. With the new tool, Microsoft is helping to consolidate the necessary tasks in an automated fashion to ensure the mitigating actions are introduced correctly and with little room for error. This certainly helps SMBs and even small environments that may find managing and patching Exchange Server to be challenging. The EOMT tool is a PowerShell script that brings together these various functions and tasks in a single script. It performs the following steps on your on-premises Exchange Server:
- The tool checks your Exchange Server to see if it is a vulnerable, or unpatched, Exchange Server version.
- If it finds the Exchange Server to be vulnerable, it pulls down the URL rewrite tool for IIS and applies the configuration only if the Exchange Server is vulnerable, mitigating CVE-2021-26855.
- Finally, it runs the Microsoft Safety Scanner in "Quick Scan" mode, even if the Exchange Server is a patched version.
- It identifies and proactively deals with threats found in the scan.
Some may wonder how the new EOMT.ps1 "one-click" tool is different from the ExchangeMitigations.ps1 file released earlier. The ExchangeMitigations.ps1 tool does the following:
- It mitigates the four zero-day CVEs currently affecting Exchange Server: CVE-2021-26855, CVE-2021-26857, CVE-2021-27065 and CVE-2021-26858.
- Using the ExchangeMitigations.ps1 file does impact Exchange functionality.
- It does not proactively scan for existing compromise or exploitation of the vulnerability.
- It does not respond to identified threats.
As noted with this comparison, the one-click Exchange mitigation tool in the form of the EOMT.ps1 file is a much more proactive tool and takes steps to determine whether the Exchange Server has been compromised in addition to introducing the URL rewrite for the CVE-2021-26855 mitigation.
Downloading and requirements
First, how do you obtain the EOMT? Microsoft has made the tool available through its Exchange Security GitHub page:
- CSS-Exchange/Security at main · microsoft/CSS-Exchange · GitHub
What are the requirements for running the EOMT.ps1 utility?
- An external internet connection from your Exchange Server (required to download the Microsoft Safety Scanner and the IIS URL Rewrite Module)
- The PowerShell script must be run as Administrator
- PowerShell 3 or later
- IIS 7.5 and later
- Exchange 2013, 2016, or 2019
- Windows Server 2008 R2, Server 2012, Server 2012 R2, Server 2016, Server 2019
Running the one-click EOMT tool
After downloading the one-click EOMT.ps1 script, open up an Administrator PowerShell prompt and simply run the script. The output will look like the following. Notice it runs the steps listed above:
- Checks to see whether the Exchange Server is vulnerable.
- If vulnerable, it applies the URL rewrite mitigation.
- It then starts and runs the Microsoft Safety Scanner to scan for compromise.
- All results are logged to the EOMT logs.
The following are screenshots of the tool as run on a new Exchange Server 2019 in a lab environment. The server was never exposed to the Internet. However, I purposely chose the Exchange 2019 Cumulative Update 8, which was released last year, so it would be behind on patches. As you can see, the IIS URL Rewrite configuration was applied to the server since it does not have the most recent patches applied.
The EOMT.ps1 summary log is written, which displays the activities of the tool and tasks performed:
In addition, the tool writes the Microsoft Safety Scanner log file at C:\Windows\debug\msert.log.
The recent on-premises Exchange Server vulnerabilities have created challenges for organizations that may not have dedicated IT staff, including some SMB and small businesses. For those and even for large companies that have to wait for a scheduled maintenance window, Microsoft has created the new EOMT, which provides an easy "one-click" approach to applying the needed mitigations to Exchange Server.
Subscribe to 4sysops newsletter!
Also, the new tool proactively scans Exchange for evidence of compromise or other malicious activity using the Microsoft Safety Scanner. It is interesting to see this is an officially supported tool from Microsoft to help close the gap and protect Exchange from the recently disclosed vulnerabilities. However, Microsoft recommends applying the needed patches as soon as possible, even if mitigation is applied.