microsoft / CSS-Exchange

Exchange Server support tools and scripts
MIT License
1.22k stars 342 forks source link

microsoft-exchange-client-access-server-information-disclosure #2056

Open Murat-Guner opened 7 months ago

Murat-Guner commented 7 months ago

Hi

Synopsis The remote mail server is affected by an information disclosure vulnerability.

Description The Microsoft Exchange Client Access Server (CAS) is affected by an information disclosure vulnerability. A remote, unauthenticated attacker can exploit this vulnerability to learn the server's internal IP address. An attacker can send a crafted GET request to the Web Server with an empty host header that would expose internal IP Addresses of the underlying system in the header response.

Please add capability to check url write rule for hiding server internal ip as explained below.

https://www.cyberis.com/article/microsoft-exchange-client-access-server-information-disclosure

Thanks

dpaulson45 commented 7 months ago

@Murat-Guner based off that article, that issue is only for IIS and only for unsupported versions of IIS. I don't see the value add to include this into an Exchange Health Checker script.

RandelP commented 7 months ago

Hello,

Historically, on our Exchange 2016 setup, we successfully mitigated this vulnerability by implementing a URL rewrite rule. This approach was similar with the recommendations in the article that @Murat-Guner shared. The rule was able to effectively hide our server internal IP address from being disclosed through an empty host header in GET requests.

However, after we upgraded our version to Exchange 2019, we've hit a roadblock. The same URL rewrite rule that served us well in the past now introduces complications. Can you please provide a way to mitigate this vulnerability?