Microsoft has released a PowerShell script to help customers running its Exchange Server on-premises software to quickly and easily mitigate against an attack chain of vulnerabilities that is under heavy exploitation currently.
The Exchange On-Premises Mitigation Tool or EOMT is recommended over Microsoft's earlier ExchangeMitigations.ps1 script, and handles the CVE-2021-26855 vulnerability through a uniform resource locator (URL) rewrite configuration.
This, Microsoft said, mitigates against the known methods of exploiting the CVE-2021-26855 server-side request forgery authentication bypass vulnerability, which forms the first part of a four-stage attack chain that can lead to full system compromise.
Microsoft has released a new, one-click mitigation tool to help customers who do not have dedicated security or IT teams to apply the Exchange security updates— Tanmay Ganacharya (@tanmayg) March 15, 2021
1⃣ Applies CVE-2021-26855 mitigation
2⃣ Runs MSERT scan
3⃣ Reverse any changes made by identified threats pic.twitter.com/UEhNQC8NEM
On top of mitigating against CVE-2021-26855, EOMT is fully automated and downloads all the dependencies it requires.
EOMT also runs the Microsoft Safety Scanner to detect malware on affected Exchange Servers, and attempts to remediate compromises detected.
The tool requires PowerShell 3 or later, and Internet Information Services 7.5 or better.
Microsoft has tested EOMT on Exchange 2013, 2016 and 2019, without adverse effects discovered so far.
Exchange administrators are advised that EOMT should only be used as a temporary mitigation measure until their servers can be fully updated.
Exploitation of unpatched servers continues worldwide with reports of ransomware being installed on them, along with webshells for data exfiltration.
Working together with Microsoft, security vendor RiskIQ tracked the Exchange patching progress, and noted that on March 12, Australia had over 2100 vulnerable servers. Worldwide the number is over 80,000.