[German]Microsoft has released its onclick Microsoft Exchange (On-Premises) Mitigation Tool (EOMT) as of March 15, 2021. The tool is intended to provide a one-click solution to mitigate the CVE-2021-26855 chess vulnerability on on-premises Exchange Server installations and is primarily intended for administrators in smaller companies to have something in hand in the first place.
Notes on EOMT
Just over a week after Microsoft closed the four vulnerabilities in its on-premises Exchange servers (see Exchange server 0-day exploits are actively exploited), the Redmond-based company must have realized that administrators from smaller businesses in particular are hopelessly overwhelmed when it comes to quickly patch their on-premises Exchange servers and secure it after an infection. Therefore, the developers have created a “click-and-ready” solution, so to speak, which is supposed to help customers who do not have dedicated security or IT teams immediately to apply the provided security updates. EOMT is designed to do the following:
- The tool runs theMicrosoft Safety Scanner. This tool scans the machine for infections, so it can find and remove known malware.
- When the tool is executed, the CVE-2021-26855 vulnerability is automatically mitigated by using the IIS URL rewrite module to block cookie headers.
- It also checks the patch level of the affected Exchange Server and reports it to the administrator.
The Microsoft Exchange On-Premises Mitigation Tool (EOMT) has been tested by Microsoft with Exchange Server 2013-, 2016- and 2019. It is important to understand that this new tool is intended only as an interim measure for customers who are unfamiliar with the patch/update process or who have not yet applied the On-Premises Exchange Security Update.
Download and run EOMT
The Microsoft Exchange On-Premises Mitigation Tool (EOMT) is available for free download as a PowerShell module from Microsoft on this Github page. Microsoft recommends running this script instead of the older PoweShell script ExchangeMitigations.ps1, which is also provided. The Exchange On-premises Mitigation Tool automatically downloads all dependencies and runs the Microsoft Safety Scanner. EOMT.ps1 is fully automated and uses known, previously documented remediation methods. This script performs three operations:
Microsoft Exchange On-Premises Mitigation Tool (EOMT), Source: Microsoft
- Take measures against current known attacks with CVE-2021-26855 via a URL rewrite configuration.
- Scan the Exchange Server with Microsoft Safety Scanner to detect infections.
- Attempt to remediate compromises detected by the Microsoft Safety Scanner.
This is a better approach for Exchange deployments with Internet access and for customers who want or need a quick approach to automatically remediate the vulnerabilities and possibly isolate an infection – and don’t have access to experts to scan the installation on short notice. Developers have not observed any impact to Exchange Server functionality from these mitigation methods, nor do these mitigation methods make any direct changes that disable Exchange functionality.
Prerequisites for running EOMT
An external Internet connection from your Exchange server is required, as it is necessary for downloading the Microsoft Safety Scanner and the IIS URL Rewrite module. The PowerShell script must be run as administrator.
- PowerShell 3 or higher
- IIS 7.5 and higher
- Exchange 2013, 2016 or 2019
- Windows Server 2008 R2, Server 2012, Server 2012 R2, Server 2016, Server 2019
Comments on EOMT
At this point, I am personally highly divided. Of course, it’s good to have a “one-click” solution to scan an Exchange server, remove any infection found, and then harden the installation as well. However, Microsoft writes that this is effectively the first shot, and that this does not replace patching. The responsible parties must then check the Exchange Server for updates and security. There are also questions of principle.
- Problem 1: This solution is simply too late and it can be assumed that Exchange servers accessible on the Internet via port 443 have already been compromised. It is possible that EOMT will find and eliminate the malicious functions in Exchange Server and the underlying Windows Server. But then we are at problem 2.
- Problem 2: If Exchange Server is infected, it is unclear what else in the system has been tampered with, whether the attackers may have accessed and modified the underlying Active Directory structure.
- Problem 3: Possibly running EOMT complicates forensic analysis to find out what information may have been viewed and retrieved.
- Problem 4: The tool and defenses are not a substitute for patching, and unfortunately there will be users who will then not bring in professionals to review the Exchange Server installation. This leaves the instance open to be shot down for the next attacks.
For problem 4 in particular, it is imperative to bring in expertise to review the Exchange Server in the aftermath. In the blog post ProxyLogon hack: Administrator’s Repository for affected Exchange systems I have summarized what relevant information is available.
The background: The Exchange mass hack
here were four critical vulnerabilities in Microsoft’s Exchange servers that were not closed until March 2/3, 2021, by an unscheduled security update (see Exchange server 0-day exploits are actively exploited). The problem is that since January 2021 there have been attacks on Exchange servers that were accessible via the Internet using port 443. Then, since the end of February and then the beginning of March 2021, there have been mass scans of Exchange servers by an attacker group called Hafnium. It can be assumed that all unpatched (and many patched) Exchange Server on-premises installations are compromised. I’ve covered this topic in several blog posts linked below.
Exchange server 0-day exploits are actively exploited
Important notes from Microsoft regarding the Exchange server security update (March 2021)
Exchange isues with ECP/OWA search after installing security update (March 2021)
Exchange Hack News – Test tools from Microsoft and others
Microsoft MSERT helps to scan Exchange Servers
Cyber attack on Exchange server of the European Banking Authority
Exchange hack: new patches and new findings
Exchange Server: Remote Code Execution Vulnerability CVE-2020-16875
Exchange hack: new victims, new patches, new attacks
Update on ProxyLogon hafnium exchange issue (March 12, 2021)
Was there a leak at Microsoft in the Exchange mass hack?
ProxyLogon hack: Administrator’s Repository for affected Exchange systems
Cookies helps to fund this blog: Cookie settings