• Home
  • |
  • Blog
  • |
  • A New Improved Workaround to Mitigate the ProxyNotShell Vulnerability
New Improved Workaround to Mitigate the ProxyNotShell

On 8th Oct 2022, Microsoft published a new, improved workaround to mitigate the ProxyNotShell vulnerability. Microsoft has published a workaround for the third time, in which it shared a new modified URL Rewrite rule. Microsoft has revised the blocking rule in IIS Manager form “.*autodiscover\.json.*Powershell.*” to “(?=.*autodiscover\.json)(?=.*powershell).” Users are suggested to update the new URL Rewrite rule as per the change made.

Alternatively, Microsoft has asked users to use the new modified version of Exchange On-premises Mitigation EOMTv2.ps1 PowerShell tool to achieve the same protection covered by the URL Rewrite Rule. Download the latest release from here: EOMTv2.ps1.

Source: Microsoft

New Improved Workaround to Mitigate the ProxyNotShell

Time needed: 15 minutes

How to Mitigate ProxyNotShell Vulnerabilities?

  1. Open IIS Manager on the Exchange server

    In Server Manager and go to Tools –> Internet Information Services (IIS) ManagerAn image to open 'IIS Manager' from 'Server Manager' (1)

  2. Open ‘URL Rewrite’ feature for ‘Autodiscover’ under ‘Default Web Site’ in IIS Manager

    In IIS Manager, navigate to Hostname (This this sample – EXCH19) –> Sites –> Default Web Site –> Autodiscover.
    Select ‘URL Rewrite‘ under ‘IIS‘.
    In the right-pane, click on ‘Open Feature‘ under ‘Actions‘.image (2)

  3. Add a rule under ‘URL Rewrite’

    Under ‘URL Rewrite‘ feature, click on ‘Add Rule(s)‘ under ‘Actions‘ to create a new Inbound rule.An image to 'Add Rule(s)' under 'URL Rewrite' (1)

  4. Add a new Rule for ‘Request blocking’

    In the Add Rule(s) window, select ‘Request blocking‘ under ‘Inbound rules‘.  This will create a rule to block client requests based on certain text patterns in the URL path, query string, HTTP headers, and server variables. Click on ‘OK‘ to proceed further.An image to select 'Inbound Rule' as 'Request Blocking' (1)

  5. Update Pattern (URL Path) in Request Blocking Rule

    In ‘Add Request Blocking Rule‘ window, update the string “(?=.*autodiscover)(?=.*powershell)” (excluding quotes). Select Regular Expression under Using. Select Abort Request under How to block and then click OK.An image to update 'Pattern (URL Path)' under 'Request Blocking Rule' (1)

  6. Edit the Conditions for the Inbound Rule with the Pattern “.*autodiscover\.json.*Powershell.*”

    In ‘URL Rewrite‘ page, expand ‘RequestBlockingRule1‘ and select the Rule with the Pattern “.*autodiscover\.json.*Powershell*” and click on ‘Edit‘ under ‘Conditions’.An image to edit the Inbound rule (1)

  7. Update Condition input from {URL} to {REQUEST_URI}

    Under ‘Edit Condition‘ page, change the ‘Condition input‘ from {URL} to {REQUEST_URI} and click on ‘OKAn image to update the 'Condition input' (1)

CVE-2022-41040 and CVE-2022-41082 vulnerabilities in Microsoft Exchange Server are chained to increase the attack surface; if an attacker exploits the former, they can also trigger the latter. The exploitation enables an attacker to process malware execution or even have complete control over the affected system. To avoid this exploitation, it is crucial to know about the new, improved workaround to mitigate the ProxyNotShell vulnerabilities.

We hope this post would help you know about the new, improved workaround to mitigate the ProxyNotShell, two 0-day vulnerabilities in Microsoft Exchange Server. Please share this post and help to secure the digital world. Visit our social media page on FacebookLinkedInTwitter, TelegramTumblrMedium & Instagram, and subscribe to receive updates like this. 

See Also  How to Fix CVE-2021-0146- A High Severity Privilege Escalation Vulnerability In Intel Chips?

Read More:

About the author

Arun KL

Arun KL is a cybersecurity professional with 15+ years of experience spanning IT infrastructure, cloud security, vulnerability management, Penetration Testing, security operations, and incident response. He is adept at designing and implementing robust security solutions to safeguard systems and data. Arun holds multiple industry certifications including CCNA, CCNA Security, RHCE, CEH, and AWS Security.

To know more about him, you can visit his profile on LinkedIn.

Leave a Reply

Your email address will not be published. Required fields are marked

{"email":"Email address invalid","url":"Website address invalid","required":"Required field missing"}

Learn Something New with Free Email subscription

Email is also one of the ways to be in touch with us. Our free subscription plan offers you to receive post updates straight to your inbox.