Microsoft has released a one-click mitigation tool to enable customers who may not have dedicated security or IT teams to apply emergency patches to their on-premise Exchange servers against the ProxyLogon vulnerabilities.
Redmond said it had been working actively with customers through its support teams, third-party hosting providers and its channel partner network to help them secure their environments and respond to threats resulting from attacks exploiting ProxyLogon – which began through a state-linked Chinese group known as Hafnium and have since spread far and wide to be exploited by many others, including ransomware gangs.
Based on these engagements, Microsoft’s teams realised there was a clear need for a “simple, easy-to-use, automated” solution to meet the needs of customers using current and out-of-support versions on on-premise Exchange Server.
Tested across Exchange Server 2013, 2016 and 2019 deployments, Microsoft said the new tool was supposed to serve as an “interim mitigation” for users who may not necessarily be familiar with standard patch and update procedures, or who have not yet applied the updates, which dropped on 2 March.
“By downloading and running this tool, which includes the latest Microsoft Safety Scanner, customers will automatically mitigate CVE-2021-26855 on any Exchange server on which it is deployed,” said Microsoft in its release notes.
“This tool is not a replacement for the Exchange security update, but is the fastest and easiest way to mitigate the highest risks to internet-connected, on-premise Exchange Servers prior to patching.”
Users who wish to take advantage of the tool should download it from Microsoft here, and run it on their Exchange Servers immediately, prior to following the established guidance here. Users who are already running Microsoft Safety Scanner should continue to do so to assist with further mitigations.
Once it has run, the new tool will mitigate against current known attacks exploiting CVE-2021-26855 – the initial entry vector, a server-side request vulnerability that enables a malicious actor to send arbitrary HTTP requests and authenticate as their target Exchange server – using a URL rewrite configuration, scan the Exchange Server for any issues, and attempt to reverse any changes that identified threats may have made. It should not affect any Exchange Server functionality.
It is important to note that this tool is effective only against attacks and exploits seen to date and is not guaranteed to fix attacks that may emerge in the immediate future – therefore, it should only be used as a temporary fix until full updates can be applied.
Microsoft is recommending it over its previous mitigation script as it is tuned based on up-to-date intelligence, but if you have started using the previous one, added its experts, it is absolutely fine to change to the new one.
More technical information, examples and guidance on using the tool can be found on GitHub.