Microsoft Exchange is a frequent target of hackers, and often the attack vector is a well known vulnerability that a company just hasn’t gotten around to patching.
To try to deal with that problem, Microsoft is doing what a lot of other software vendors may start doing: making applying fixes a lot less optional.
In the September 2021 Cumulative Update (CU), the software giant has added a new feature called the Microsoft Exchange Emergency Mitigation (EM) service. The EM service installs automatically with the CU and may automatically disable features or functionality on an Exchange server as threats arise.
The EM service can be disabled, but that’s kind of the point: A server admin would need to actively disable the service; otherwise it will apply mitigations as threats arise.
How Exchange Mitigation Works
The EM service checks the cloud-based Office Config Service (OCS) for available mitigations every hour. The service then downloads a signed XML file containing the mitigation configuration settings and validates the signature to verify that the XML was not tampered with by checking the issuer, the Extended Key Usage, and the certificate chain. After successful validation, the EM service applies the mitigation.
Microsoft notes that “Each mitigation is a temporary, interim fix until you can apply the Security Update that fixes the vulnerability. The EM service is not a replacement for Exchange SUs. However, it is the fastest and easiest way to mitigate the highest risks to Internet-connected, on-premises Exchange servers before updating.”
The EM service can apply 3 types of mitigations:
- IIS URL Rewrite rule mitigation, which is a rule that blocks specific patterns of malicious HTTP requests that can endanger an Exchange server
- Exchange service mitigation, which disables a vulnerable service on an Exchange server
- App Pool mitigation, which disables a vulnerable app pool on an Exchange server
Admins have visibility and control over any applied mitigation through PowerShell cmdlets and scripts.
The service requires the IIS URL Rewrite Module and Universal C Runtime in Windows (KB2999226) and users will be prompted to install them if needed.
Exchange Server Security Tools
Microsoft has released a number of security tools this year to better protect Exchange servers.
- The Exchange On-premises Mitigation Tool (EOMT), released in March, is a one-click tool that applies interim mitigations to an Exchange server to minimize vulnerable attack surfaces until the admin can install an available SU.
- Automatic on-premises Exchange server mitigation was added to Microsoft Defender Antivirus and System Center Endpoint Protection, also in March.
- Integration between Exchange Server and AMSI, the Windows Antimalware Scan Interface, was added in June to scan content in HTTP requests and block malicious requests before they are handled by Exchange Server.
This latest release comes just days after news that an Exchange Autodiscover flaw leaked nearly 100,000 unique Windows domain credentials.
VMware vCenter Vulnerability Exploited
Microsoft is hardly the only software vendor whose publicly disclosed vulnerabilities are being exploited. The U.S. Cybersecurity & Infrastructure Security Agency (CISA) has warned that a VMware vCenter Server vulnerability reported last week is already under attack.
An attacker with network access to port 443 can exploit the vulnerability (CVE-2021-22005) to execute code on vCenter Server – which malicious actors are already attempting.
“Security researchers are also reporting mass scanning for vulnerable vCenter Servers and publicly available exploit code,” the agency said. “Due to the availability of exploit code, CISA expects widespread exploitation of this vulnerability.”
The CISA notice also urges a number of mitigation steps.