This post will explain proxynotshell vulnerability. Microsoft released a new, updated workaround to address the ProxyNotShell vulnerability on October 8th, 2022. For the third time, Microsoft revealed a fresh, modified URL Rewrite rule in a workaround article. The blocking rule in IIS Manager has been changed by Microsoft from “.*autodiscover.json.*Powershell.*” to “(?=.*autodiscover.json)(?=.*powershell).” Users are advised to update the new URL Rewrite rule in accordance with the modification.
To get the same security provided by the URL Rewrite Rule, Microsoft has advised customers to use the newly modified Exchange On-premises Mitigation EOMTv2.ps1 PowerShell tool. Get the most recent version here: EOMTv2.ps1.
A New Improved Workaround to Mitigate the ProxyNotShell Vulnerability
In this article, you can know about A New Improved Workaround to Mitigate the ProxyNotShell Vulnerability here are the details below;
1. Open IIS Manager on the Exchange server
Go to Tools -> Internet Information Services (IIS) Manager in Server Manager.
To open “IIS Manager” from “Server Manager,” an image (1)
2. open ‘URL Rewrite’ feature for ‘Autodiscover’ under ‘Default web Site’ in IIS Manager
Go to Hostname (this sample’s hostname is EXCH19) -> Sites -> Default Web Site -> Autodiscover in IIS Manager.
Choose “URL Rewrite” from the “IIS” menu. Also check Netflix stuck on loading screen
Click on “Open Feature” under “Actions” in the right-pane.
3. Add a rule Under “URL Rewrite”.
To add a new Inbound rule, click on “Add Rule(s)” under “Actions” under the “URL Rewrite” feature.
A picture to be included as “Add Rule(s)” under “URL Rewrite” (1)
4. Add a new Rule for ‘Request blocking’
Choose “Request blocking” from the list of “Inbound rules” in the Add Rule(s) window. Through the use of specific text patterns in the URL path, query string, HTTP headers, and server variables, a rule will be created to deny client requests. To continue, select “OK.” a graphic designating “Inbound Rule” as “Request Blocking” (1)
5. Update pattern (URL Path) in Request blocking Rule
Update the string “(?=.*autodiscover)(?=.*powershell)” in the “Add Request Blocking Rule” window (excluding quotes). Under Using, choose Regular Expression. Click OK after selecting Abort Request in the How to block section.
6. Edit the Conditions for the Inbound rule with the Pattern “.*autodiscover\.json.*PowerShell.*”
Change the Inbound Rule’s Conditions by adding the Pattern “.*autodiscover.json.*PowerShell.”
“Expand ‘RequestBlockingRule1’ on the ‘URL Rewrite’ page and choose the Rule with the Pattern ‘.*autodiscover.json.*Powershell*’.” and select “Edit” from the “Conditions” menu. A picture for the Inbound rule (1)
Change the URL in the condition input to the REQUEST URI
Change the “Condition input” from “URL” to “REQUEST URI” on the “Edit Condition” page, then click “OK.”
7. Update Condition input from {URL} to {Request_URI}
The Microsoft Exchange Server flaws CVE-2022-41040 and CVE-2022-41082 are linked together to broaden the attack surface; if an attacker uses the first to their advantage, they can also exploit the second. Through the use of exploitation, an attacker can process the execution of malware or even have total control over the compromised system. It is essential to be aware of the new, enhanced fix to mitigate the ProxyNotShell vulnerabilities in order to prevent this exploitation. Also check roku remote not working
We hope that this document will inform you of the updated, improved fix for the two 0-day vulnerabilities in Microsoft Exchange Server known as ProxyNotShell. Share this article and aid in protecting the internet.
