Introduction
Anyone who has experience working in IT will have at some stage had to deal with security vulnerabilities in software. Recently this type of news is not just covered in Technical Magazines but is making International news. Vulnerabilities are part and parcel of software and as defence mechanisms improve so does the sophistication of attacks.
Recent Microsoft Exchange Vulnerability
This week, Microsoft has announced several vulnerabilities affecting Microsoft Exchange Server 2013, 2016 and, 2019 and notified customers that these have been exploited in multiple customer environments. When the vulnerabilities are chained together, they enable authentication bypass and code execution enabling adversaries to access accounts and data or run malware on target machines for long-term remote access.
To address these, Microsoft has released Security Patches for updating the Exchange servers. Upgrading and patching the software is critical and has resulted in many organisations scrambling to get this done while balancing the upgrade with change windows and maintenance of business operations. The reality of business dependence on email means as well as providing patches to fix this issue Microsoft has also provided a list of mitigation actions that can be completed. This enables organisations to prevent any attack during the period before a full audit and server patch rollout can take place. These amount to blocking specific services from external access and detecting specific request types used for the exploits.
Kemp Pre-Authentication
The attack vector used for exploiting these vulnerabilities in Exchange requires an untrusted connection to Exchange server port 443. Kemp LoadMaster provides a means for enforcing pre-authentication on chosen Exchange services (e.g. OWA, ActiveSync, and ECP) which provides the following defence
- Protects the Exchange Server from handling unauthenticated connection attempts
- Provides enhanced logging of User Access and IP addresses
- Enables Failed Login attempt limiting.
Kemp LoadMaster Content Rules.
When using Kemp LoadMaster for Exchange, the content rule engine provides a really flexible tool for controlling traffic into Exchange but also to block specific traffic patterns. For Exchange alone, there are already numerous cases where this is utilised, for example, Internal IP Address Disclosure, Internal domain Name disclosure, Blocking of HTTP Methods and protection against Remote code Execution
With the recent vulnerabilities, Kemp LoadMaster once again provides simple-to-configure mitigation steps . Current Mitigation Actions recommended by Microsoft can be broken down into:
1.Dropping of requests containing specific identified cookies used by this exploit. See here for a guide on how to implement content rules on LoadMaster to block this traffic.
2. Disabling of services vulnerable to attack. See here for details of how to disable access to specific Exchange services on the LoadMaster or alternatively restrict access to specific IP address ranges using Access Control Lists.
Performing these mitigations steps on LoadMaster takes just minutes to complete and has a couple of benefits:
- It adds an extra level of protection by preventing these requests from ever reaching the Exchange Servers
- It provides an alternative mechanism to implement this without making Exchange modifications or installing dependencies such as IIS URL ReWrite Module.
- It gets around the fact that Microsoft’s mitigation script needs to be reapplied after any upgrade of Exchange where the security patch hasn’t been installed.
Summary
Loadmaster’s Pre-Authentication capabilities reduce the attack vector for Exchange application vulnerabilities by limiting server requests to those with validated credentials. As well as this, LoadMaster Content Rules provides an excellent tool that can be used as part of any mitigation strategy against Security Vulnerabilities.
For full protection it is of course recommended that Exchange Server security updates are applied as recommended by Microsoft but having the tools of LoadMaster for quick implementation of mitigation actions may be the difference between a compromised and uncompromised system.