ProxyLogon and ProxyShell mitigation
stevmorr
Newbie ✭
Hi,
Before anyone asks - yes we are on latest CU and SU for Exchange along with AV installed and is of course the best action to take.
Exchange servers have been hit hard this year and can be difficult to maintain quickly enough. If my understanding is correct these attacks start by creating .aspx files in certain directories exposed to the internet like OWA (outlook web access) etc they can then be used to execute commands without needing privileges. Has anyone considered using the firewalls Application rules to prevent an external connection sending aspx to email server? The most relevant KB article I could find was
I am no expert on Exchange so not sure if an action like this would break the email system. My reading so far indicates the only aspx files that should be in those directories are the ones added by Exchange when installed.
There is a good article from sophos on the topic which incidentally suggests they have IPS signatures for these vulnerabilities but have not seen a similar announcement from Sonicwall...
thanks
Answers
Hi @stevmorr
As per Sonicwall July 2021 Security bulletin, they are covered the MS Exchange Remote Code Execution vulnerability.
@stevmorr, you can check out capture labs portal for news, CVE's, signatures and more.