Workaround: Apply IIS workaround for CVE-2022-41040 (Microsoft Exchange) v2

Workaround: Apply IIS workaround for CVE-2022-41040 (Microsoft Exchange) v2 <H3>This is Community Content. When you use these solutions, it is incumbent on your organization to test any solutions provided across the broadest available system base including various OS, storage solutions, and application inventory.</H3> Please see the <A href="https://forum.bigfix.com/t/log4j-vulnerability-identification-and-3rd-party-remediation-solution-testing-statement/40273">Community Solution Testing Statement</A> This Fixlet will, if necessary, download and install the "Microsoft URL Rewrite" plugin for IIS, and apply the URL rewrite workaround to block CVE-2022-41040 on the "Default Web Site" configuration.  This workaround is described at <A href="https://msrc-blog.microsoft.com/2022/09/29/customer-guidance-for-reported-zero-day-vulnerabilities-in-microsoft-exchange-server/">https://msrc-blog.microsoft.com/2022/09/29/customer-guidance-for-reported-zero-day-vulnerabilities-in-microsoft-exchange-server/</A>  While the vulnerability is being leveraged specifically against Microsoft Exchange servers, this Fixlet is not limited to Exchange Server and will be relevant on any Microsoft IIS server that does not have the URL Rewrite rules installed. This fixlet is based on the third version of Microsoft Mitigation Guidance, released October 6, 2022.  If the earlier guidance was applied by the earlier version of this fixlet, that earlier mitigation is removed after the later version is applied. If a web.config already exists, it will be backed up prior to modification.  The backup filename will be named 'web.config.cve-2022-41040v2.{actionid}.bak',  If the backup filename already exists the action will fail and you should investigate whether the mitigation is being removed after applied. Customization:  The ActionScript contains a parameter "Restart_IIS".  If left at the default value, the IIS Service is automatically restarted after mitigation is applied.  If changed to 'false', IIS will not be restarted and the Action is flagged with a 'restart required' flag.   windows of operating system AND (if exists property "in proxy agent context" then not in proxy agent context else true) x64 of operating system exists service "W3SVC" ( not exists selects "configuration/system.webServer/rewrite/rules/rule" whose ( not exists attribute "patternSyntax" of it /* 'RegEx' has not 'patternSyntax' attribute */ and node value of attribute "stopProcessing" of it = "true" and exists child nodes whose (node name of it = "match" and node value of attribute "url" of it = ".*" ) of it and exists child nodes whose ( node name of it = "conditions" and exists child nodes whose ( node name of it = "add" of it and node value of attribute "input" of it = "{UrlDecode:{REQUEST_URI}}" and node value of attribute "matchType" of it = "Pattern" and node value of attribute "pattern" of it = ".*autodiscover\.json.*Powershell.*" and node value of attribute "ignoreCase" of it = "true" and node value of attribute "negate" of it = "false" ) of it ) of it and exists child nodes whose ( node name of it = "action" and node value of attribute "type" of it = "AbortRequest" ) of it ) of xml documents of files "web.config" of native folder (expand environment string of (it as string) of value "PathWWWRoot" of key "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\InetStp" of native registry) ) Internal 2022-10-06 CVE-2022-41040 x-fixlet-modification-time Thu, 06 Oct 2022 16:11:31 +0000 BESC Click here to deploy this action. begin prefetch block if {not exists keys whose (value "DisplayName" of it as string starts with "IIS URL Rewrite Module 2") of keys "HKLM\Software\Microsoft\Windows\CurrentVersion\Uninstall" of native registry} add prefetch item name=rewrite_amd64_en-US.msi sha1=8f41a67fa49110155969dccff265b8623a66448f size=6078464 url=https://download.microsoft.com/download/1/2/8/128E2E22-C1B9-44A4-BE2A-5859ED1D4592/rewrite_amd64_en-US.msi sha256=37342ff2f585f263f34f48e9de59eb1051d61015a8e967dbde4075716230a32a endif end prefetch block parameter "Restart_IIS"="true" if {not exists keys whose (value "DisplayName" of it as string starts with "IIS URL Rewrite Module 2") of keys "HKLM\Software\Microsoft\Windows\CurrentVersion\Uninstall" of native registry} waithidden msiexec /i __Download\rewrite_amd64_en-US.msi /qn endif if {not exists file "web.config" of native folder (expand environment string of (it as string) of value "PathWWWRoot" of key "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\InetStp" of native registry)} // The web.config XML file does not exist at all, just create one from scratch delete __createfile createfile until EOF_EOF_EOF_EOF <?xml version="1.0" encoding="UTF-8"?> <configuration> <system.webServer> <rewrite> <rules> <rule name="RequestBlock-CVE-2022-41040_20221006" stopProcessing="true"> <match url=".*" /> <conditions> <add input="{{UrlDecode:{{REQUEST_URI}}" matchType="Pattern" pattern=".*autodiscover\.json.*Powershell.*" ignoreCase="true" negate="false" /> </conditions> <action type="AbortRequest" /> </rule> </rules> </rewrite> </system.webServer> </configuration> EOF_EOF_EOF_EOF copy __createfile "{pathname of native folder (expand environment string of (it as string) of value "PathWWWRoot" of key "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\InetStp" of native registry)}\web.config" else // The web.config XML file already exists; generate a PowerShell script to add the rewrite rule that we need to it, preserving other file contents // Backup the current version; the use of action id in the target filename *should* make the backup unique, allow the action to fail if the backup file already exists copy "{pathname of file "web.config" of native folder (expand environment string of (it as string) of value "PathWWWRoot" of key "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\InetStp" of native registry)}" "{pathname of file "web.config" of native folder (expand environment string of (it as string) of value "PathWWWRoot" of key "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\InetStp" of native registry)}.cve-2022-41040v2.{id of action as string}.bak" createfile until EOF_EOF_EOF_EOF $file="{pathname of file "web.config" of native folder (expand environment string of (it as string) of value "PathWWWRoot" of key "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\InetStp" of native registry)}" [xml]$xml=(Get-Content $file) [System.Xml.XmlElement] $root = $xml.get_DocumentElement() $node=$root.SelectNodes("/") $confignode=$root.SelectNodes("/configuration") if ($confignode.count -eq 0) {{ $confignode = $root.AppendChild($xml.CreateElement("configuration")) } $webservernode=$root.SelectNodes("/configuration/system.webServer") if ($webservernode.count -eq 0) {{ $webservernode = $confignode.AppendChild($xml.CreateElement("system.webServer")) } $rewritenode=$root.SelectNodes("/configuration/system.webServer/rewrite") if ($rewritenode.count -eq 0) {{ $rewritenode = $webservernode.AppendChild($xml.CreateElement("rewrite")) } $rulesnode=$root.SelectNodes("/configuration/system.webServer/rewrite/rules") if ($rulesnode.count -eq 0) {{ $rulesnode = $rewritenode.AppendChild($xml.CreateElement("rules")) } # At this point we can be assured that rulesnode exists and our expected rule is missing (based on relevance) $newrule=$xml.createElement("rule") $newattr = $newrule.SetAttribute("name","RequestBlock-CVE-2022-41040_20221006") $newattr = $newrule.SetAttribute("stopProcessing","true") $newrulematch=$xml.createElement("match") $newattr = $newrulematch.SetAttribute("url",".*") $newrule.AppendChild($newrulematch) $conditions=$xml.createElement("conditions") $condition=$xml.createElement("add") $condition.SetAttribute("input", "{{UrlDecode:{{REQUEST_URI}}") $condition.SetAttribute("matchType", "Pattern") $condition.SetAttribute("pattern", ".*autodiscover\.json.*Powershell.*") $condition.SetAttribute("ignoreCase", "true") $condition.SetAttribute("negate", "false") $conditions.AppendChild($condition) $action=$xml.CreateElement("action") $action.SetAttribute("type", "AbortRequest") $newrule.AppendChild($newrulematch) $newrule.AppendChild($conditions) $newrule.AppendChild($action) $rulesnode.AppendChild($newrule) $xml.Save($file) EOF_EOF_EOF_EOF delete UpdateWebConfig.ps1 move __createfile UpdateWebConfig.ps1 action uses wow64 redirection false waithidden cmd.exe /c "PowerShell.exe -NonInteractive -ExecutionPolicy Bypass -File UpdateWebConfig.ps1 > "UpdateWebConfig.out" 2>&1" endif // Validate the newest mitigation is applied, then remove the earlier mitigation if it is still present continue if {(exists selects "configuration/system.webServer/rewrite/rules/rule" whose (not exists attribute "patternSyntax" of it /* 'RegEx' has not 'patternSyntax' attribute */ and node value of attribute "stopProcessing" of it = "true" and exists child nodes whose (node name of it = "match" and node value of attribute "url" of it = ".*") of it and exists child nodes whose (node name of it = "conditions" and exists child nodes whose (node name of it = "add" of it and node value of attribute "input" of it = "{UrlDecode:{REQUEST_URI}}}}" and node value of attribute "matchType" of it = "Pattern" and node value of attribute "pattern" of it = ".*autodiscover\.json.*Powershell.*" and node value of attribute "ignoreCase" of it = "true" and node value of attribute "negate" of it = "false") of it) of it and exists child nodes whose (node name of it = "action" and node value of attribute "type" of it = "AbortRequest") of it) of xml documents of files "web.config" of native folder (expand environment string of (it as string) of value "PathWWWRoot" of key "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\InetStp" of native registry)) } if {(exists selects "configuration/system.webServer/rewrite/rules/rule" whose (node value of attribute "name" of it = "RequestBlock-CVE-2022-41040" and node value of attribute "patternSyntax" of it = "Wildcard" and node value of attribute "stopProcessing" of it = "true" and exists child nodes whose (node name of it = "match" and node value of attribute "url" of it = "*") of it and exists child nodes whose (node name of it = "conditions" and exists child nodes whose (node name of it = "add" of it and node value of attribute "input" of it = "{REQUEST_URI}}" and node value of attribute "matchType" of it = "Pattern" and node value of attribute "pattern" of it = ".*autodiscover\.json.*\@.*Powershell.*") of it) of it ) of xml documents of files "web.config" of native folder (expand environment string of (it as string) of value "PathWWWRoot" of key "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\InetStp" of native registry)) } // Delete earlier mitigation from the web.config delete __createfile createfile until EOF_EOF_EOF_EOF $file="{pathname of file "web.config" of native folder (expand environment string of (it as string) of value "PathWWWRoot" of key "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\InetStp" of native registry)}" [xml]$xml=(Get-Content $file) [System.Xml.XmlElement] $root = $xml.get_DocumentElement() $node=$root.SelectSingleNode("/configuration/system.webServer/rewrite/rules/rule[@name='RequestBlock-CVE-2022-41040']") $node.ParentNode.RemoveChild($node) | Out-Null $xml.Save($file) EOF_EOF_EOF_EOF delete UpdateWebConfig2.ps1 move __createfile UpdateWebConfig2.ps1 action uses wow64 redirection false waithidden cmd.exe /c "PowerShell.exe -NonInteractive -ExecutionPolicy Bypass -File UpdateWebConfig2.ps1 > "UpdateWebConfig.out" 2>&1" endif if {parameter "Restart_IIS" of action as string = "true"} waithidden cmd.exe /c "IISReset" else action requires restart "RequestBlock-CVE-2022-41040_20221006" endif Click here to view the Microsoft Advisory for CVE-2022-41040. https://msrc-blog.microsoft.com/2022/09/29/customer-guidance-for-reported-zero-day-vulnerabilities-in-microsoft-exchange-server/