The first proposed workaround for the ProxyNotShell zero-day vulnerability in Exchange was easily circumvented. Microsoft supplies a corrected version. The workaround initially proposed by Microsoft to mitigate the zero-day vulnerability in the Exchange server was easily circumvented. The company has now presented a corrected workaround that is intended to provide better protection. Administrators should implement the adapted version quickly.
The ProxyNotShell zero-day vulnerability in Exchange has been keeping IT admins busy for the past weekend. After Microsoft offered a workaround, which was a request block rule in the AutoDiscover settings, IT security researchers found out that the rule
.*autodiscover\.json.*\@.*Powershell.* just let go. The “@” makes the rule too specific, explained IT researcher Will Dormann on Twitter.
Dormann also suggested there that the rule be adjusted in
.*autodiscover\.json.*Powershell.*. However, there was initially no confirmation from IT security experts that the modified rule provided better protection.
However, Microsoft has now adapted its own instructions with suggested actions and corrected the rule there, precisely in the proposed version
.*autodiscover\.json.*Powershell.*. The manufacturer has revised the corresponding passages. In addition, the Microsoft developers have provided the EOMTv2 script for automated rollout of the rewrite rule with the improved rule.
Microsoft has also updated the rule that is automatically distributed using the Exchange Emergency Mitigation Service (EEMS) for Exchange 2016 and 2019 and has already redistributed it. The manufacturer writes that administrators should create the new rule and then delete the old, bypassable rule.