MicrosoftSince upgrading to CU15, a new high severity vulnerability is detected in my environment:
Additional description includes:
"The Microsoft Exchange Client Access Server (CAS) is affected by an information disclosure vulnerability. A remote, unauthenticated attacker can exploit this vulnerability to learn the server's internal IP address.
An attacker can send a crafted GET request to the Web Server with an empty host header that would expose internal IP Addresses of the underlying system in the header response."
"Only attack two (Reverse Proxy / Gateway) is fixed in current versions. Apply the latest supplied vendor patches."
"Nessus was able to verify the issue with the following request :
GET /autodiscover/autodiscover.xml HTTP/1.0
Accept-Charset: iso-8859-1,utf-8;q=0.9,*;q=0.1
Accept-Language: en
Connection: Close
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0)
Pragma: no-cache
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, image/png, */*
Which returned the following IP address :
internal.Exchange.IP.address"
Previously, this was caused by a missing alternateHostName in the IIS web.config file (in c:\inetpub\wwwroot). CU 15 seems to clobber that file, removing the alternateHostName I'd previously defined:
<system.webServer>
<serverRuntime appConcurrentRequestLimit="65535" uploadReadAheadSize="0" />I re-added the alternateHostName immediately after the CU15 (it's something I always check for now):
<system.webServer>
<serverRuntime appConcurrentRequestLimit="65535" uploadReadAheadSize="0" alternateHostName="XXX.YYY.ZZZ" />Which does not seem to help anymore.
Did Exchange change what file this setting should be located in? Where should "alternateHostName" now be defined?
Thank you,
~Bill
MicrosoftThanks; we are looking into this. Do not have an answer as of now.
Hi, there.
Is there a feedback relating this vulnerability notification? Can this be considered a false positive?
