Exchange Vulnerability Backend Cookie Mitigation on LoadMaster

As outlined here, one recommended mitigation action against CVE-2021-26855 is to filter https requests that contain malicious X-AnonResource-Backend and specifically crafted X-BEResource cookies which were found to be used in the SSRF attacks. Microsoft’s remediation script will results in the following configured URL Rules in IIS:

mceclip0.png

 

This filtering may also be applied on LoadMaster using Content Rules. This has some benefits

  1. It adds an extra level of protection by preventing these requests ever reaching the Exchange Servers
  2. It provides an alternative mechanism to implement this without making Exchange modifications or installing dependencies such as IIS URL ReWrite Module.
  3. It gets around the fact that this mitigation needs to be reapplied after any upgrade of Exchange where the security patch hasn’t been installed.

Note this is just a mitigation method and for full protection it is recommended that Exchange Server security updates are applied as recommended by Microsoft

 

Below shows how to create and apply the required rules on LoadMaster

Navigate to Rules and Checking> Content Rules

 

Rule Name: XAnonResourceBackend

Rule Type: Content Matching

Match Type: Regular Expression

Header Field: Cookie

Match String: /(.*)X-AnonResource-Backend(.*)/

Fail On Match: enable

mceclip1.png

 

Rule Name: XBEResourceBackend

Rule Type: Content Matching

Match Type: Regular Expression

Header Field: Cookie

Match String: /(.*)X-BEResource=(.+)\/(.+)~(.+)/

Fail On Match: enable

mceclip2.png

 

Once created these should be applied to the main Exchange Virtual Service on LoadMaster

Navigate to the Exchange Virtual service under Virtual Services

mceclip3.png

Click “Show Selection Rules”

From here you can select the Rules to apply.

mceclip4.png

Apply XBEResourceBackend and XAnonResourceBackend

mceclip5.png

 

 

Was this article helpful?

0 out of 0 found this helpful

Comments