by Michael Bianchi
Senior Systems Engineer
Microsoft recently published a security advisory (CVE-2019-0686) regarding a new discovered Exchange vulnerability. The details can be found here: https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-0686
Microsoft released this advisory the same day as quarterly updates and it was not patched at the time of writing.
Microsoft suggests implementing a throttling policy that will prevent Exchange from sending EWS notifications. The impact is that this will likely break any third-party applications or services that communicate with Exchange through the use of a service account, most of which do so through EWS (e.g. iManage, Mimecast Integrated Windows Authentication, Avaya and other Unified Messaging products, etc.). Outlook for Mac and Skype for Business will also be impacted by this change.
To mitigate the risk without crippling certain mission critical apps, it is advised that you prevent any unnecessary access to EWS externally by implementing rules and/or filters at your network edge through firewalls or other hardware load balancing appliances that have this capability.
Some examples including Cisco and NetScaler:
Clients running a next generation security appliance may be able to leverage Layer 7 tools to restrict https URLs as they traverse the various security boundaries they may have in place. This may require a decrypt and resign policy to do so, but network related steps may be taken to heighten security for this vulnerability.
Using a Citrix NetScaler, a Responder policy can be created and applied to your Exchange EWS VIP. This will ensure traffic is blocked by filtering the EWS expression in the HTTP traffic.
Furthermore, you can add additional filters to allow specific subnets in your environment to connect.
- If the HTTP Request contains /EWS, traffic can be set to DROP.
- HTTP.REQ.URL.SET_TEXT_MODE(IGNORECASE). CONTAINS(\”/ews\”)” DROP
- Block all but allow from specific subnets
- add responder policy resp_exchange_ems_external_drop_pol “CLIENT.IP.SRC.IN_SUBNET(10.10.1.0/24).NOT && CLIENT.IP.SRC.IN_SUBNET(220.127.116.11/24).NOT && HTTP.REQ.URL.SET_TEXT_MODE(IGNORECASE). CONTAINS(\”/ews\”)” DROP -comment “Created by Helient Systems”
UPDATED INFORMATION MARCH 6, 2019: Changes to EWS push notifications have been included in the latest Exchange patches which resolve this vulnerability. Details here: https://support.microsoft.com/en-us/help/4490060/exchange-web-services-push-notifications-can-provide-unauthorized-acce.
This change in behavior becomes effective in the following Exchange releases:
- Exchange Server 2019 – Cumulative Update 1
- Exchange Server 2016 – Cumulative Update 12
- Exchange Server 2013 – Cumulative Update 22
- Exchange Server 2010 – Update Rollup 26
Helient is available to discuss, design and implement an appropriate workaround strategy. We will update this post as more information is available or if a hotfix is released. Please contact us for more information or any questions at email@example.com.