Skip to main content
NetScaler

Using NetScaler Responder Policies for Microsoft Exchange Server CVE

Using NetScaler Responder Policies to mitigate against Microsoft Exchange Server Vulnerability

On September 29th 2022, Microsoft announced two Zero day attack vulnerabilities relating to “on-premises” Exchange server. 

  • CVE-2022-41082 Microsoft Exchange Server – RCE Vulnerability when PowerShell is accessible to the attacker.  
  • CVE-2022-41040 Server-Side Request Forgery (SSRF) vulnerability. 

What can be done to mitigate against these CVEs?

Firstly, since the 29th September Microsoft have released instructions on updates for the on-premises Exchange Server to mitigate these CVEs and we would recommend they are applied as per the instructions on the Microsoft Security Responder Centre.

We know that the NetScaler can be used to further enhance the security of your applications, but can it help in this situation?

The answer is Yes, a recent blog described how the NetScaler Web Application Firewall (WAF) can help mitigate against these CVEs and how the NetScaler signature auto update can deliver this solution in a timely manner.

I don’t have WAF, can my NetScaler sill help mitigate against these CVEs?

The answer is Yes, use responder policies. 

You can create a responder policy either via the NetScaler GUI or via the command line and once created you can bind that policy to either the virtual server or globally.

A recent blog by Lena Yarovaya at NetScaler on this exact topic provides the code to create this policy.

add responder policy mitigate_cve_2022_41082_41040

q^HTTP.REQ.URL.SET_TEXT_MODE(IGNORECASE).CONTAINS(“autodiscover.json“) &&
HTTP.REQ.URL.SET_TEXT_MODE(IGNORECASE).REGEX_MATCH(re#autodiscover\.json.*\@.*Powershell#)^ DROP
Open a putty session to your NetScaler then copy and paste this into the command line. 
The policy will then be available in the Responder section of the AppExpert menu in the NetScaler GUI. You can bind this policy globally or on the specific vserver. 

NetScaler Responder Policies

Update:

On 6th October 2022 Microsoft issued an update to their mitigation for the above listed CVEs. We recommend applying these updates from Microsoft and for added security the below can be applied to the NetScaler appliances. 

NetScaler has released the updated Signature version 94 for the NetScaler users that have NetScaler WAF signatures enabled.  They have also released an updated responder policy, detailed below, for those NetScaler Standard, Enterprise or Platinum that don’t have NetScaler WAF enabled. 

Add responder policy mitigate_cve_2022_41082_41040 q^HTTP.REQ.URL.SET_TEXT_MODE(IGNORECASE).CONTAINS(“autodiscover.json“) && HTTP.REQ.URL.SET_TEXT_MODE(IGNORECASE).REGEX_MATCH(re#autodiscover\.json.*Powershell#)^ DROP 

FIND OUT MORE

If you would like to discuss the benefits of NetScaler Web Application Firewall or NetScaler in general call us on 0330 010 3443 or email [email protected].

Check out our NetScaler FAQs

Similar Posts

EventsNetScaler

NetScaler Tech Update & Social – London

Al Taylor
Al TaylorOctober 29, 2024
BlogNetScaler

Citrix and f5 user? Time to seriously consider an f5 to NetScaler migration

Al Taylor
Al TaylorAugust 10, 2024
EventsNetScaler

Essential Guide: Maximising the value of NetScaler in Citrix Universal HMC

Al Taylor
Al TaylorApril 2, 2024
Close Menu