Exchange Vulnerability Backend Cookie Mitigation on LoadMaster
As outlined here, one recommended mitigation action against CVE-2021-26855 is to filter https requests that contain malicious X-AnonResource-Backend and specifically crafted X-BEResource cookies which were found to be used in the SSRF attacks. Microsoft’s remediation script will results in the following configured URL Rules in IIS:
This filtering may also be applied on LoadMaster using Content Rules. This has some benefits
- It adds an extra level of protection by preventing these requests ever reaching the Exchange Servers
- It provides an alternative mechanism to implement this without making Exchange modifications or installing dependencies such as IIS URL ReWrite Module.
- It gets around the fact that this mitigation needs to be reapplied after any upgrade of Exchange where the security patch hasn’t been installed.
Note this is just a mitigation method and for full protection it is recommended that Exchange Server security updates are applied as recommended by Microsoft
Below shows how to create and apply the required rules on LoadMaster
Navigate to Rules and Checking> Content Rules
Rule Name: XAnonResourceBackend
Rule Type: Content Matching
Match Type: Regular Expression
Header Field: Cookie
Match String: /(.*)X-AnonResource-Backend(.*)/
Fail On Match: enable
Rule Name: XBEResourceBackend
Rule Type: Content Matching
Match Type: Regular Expression
Header Field: Cookie
Match String: /(.*)X-BEResource=(.+)\/(.+)~(.+)/
Fail On Match: enable
Once created these should be applied to the main Exchange Virtual Service on LoadMaster
Navigate to the Exchange Virtual service under Virtual Services
Click “Show Selection Rules”
From here you can select the Rules to apply.
Apply XBEResourceBackend and XAnonResourceBackend