Using NetScaler Responder Policies to mitigate against Microsoft Exchange Server Vulnerability
On September 29th 2022, Microsoft announced two Zero day attack vulnerabilities relating to “on-premises” Exchange server.
- CVE-2022-41082 Microsoft Exchange Server – RCE Vulnerability when PowerShell is accessible to the attacker.
- CVE-2022-41040 Server-Side Request Forgery (SSRF) vulnerability.
What can be done to mitigate against these CVEs?
Firstly, since the 29th September Microsoft have released instructions on updates for the on-premises Exchange Server to mitigate these CVEs and we would recommend they are applied as per the instructions on the Microsoft Security Responder Centre.
We know that the NetScaler can be used to further enhance the security of your applications, but can it help in this situation?
The answer is Yes, a recent blog described how the NetScaler Web Application Firewall (WAF) can help mitigate against these CVEs and how the NetScaler signature auto update can deliver this solution in a timely manner.
I don’t have WAF, can my NetScaler sill help mitigate against these CVEs?
The answer is Yes, use responder policies.
You can create a responder policy either via the NetScaler GUI or via the command line and once created you can bind that policy to either the virtual server or globally.
A recent blog by Lena Yarovaya at NetScaler on this exact topic provides the code to create this policy.
add responder policy mitigate_cve_2022_41082_41040
On 6th October 2022 Microsoft issued an update to their mitigation for the above listed CVEs. We recommend applying these updates from Microsoft and for added security the below can be applied to the NetScaler appliances.
NetScaler has released the updated Signature version 94 for the NetScaler users that have NetScaler WAF signatures enabled. They have also released an updated responder policy, detailed below, for those NetScaler Standard, Enterprise or Platinum that don’t have NetScaler WAF enabled.
Add responder policy mitigate_cve_2022_41082_41040 q^HTTP.REQ.URL.SET_TEXT_MODE(IGNORECASE).CONTAINS(“autodiscover.json“) && HTTP.REQ.URL.SET_TEXT_MODE(IGNORECASE).REGEX_MATCH(re#autodiscover\.json.*Powershell#)^ DROP