microsoft-exchange-client-access-server-information-disclosure

[Murat-Guner]

Hi

Synopsis
The remote mail server is affected by an information disclosure vulnerability.

Description
The Microsoft Exchange Client Access Server (CAS) is affected by an information disclosure vulnerability. A remote, unauthenticated attacker can exploit this vulnerability to learn the server's internal IP address.
An attacker can send a crafted GET request to the Web Server with an empty host header that would expose internal IP Addresses of the underlying system in the header response.

Please add capability to check url write rule for hiding server internal ip as explained below.

https://www.cyberis.com/article/microsoft-exchange-client-access-server-information-disclosure

Thanks

[dpaulson45]

@Murat-Guner based off that article, that issue is only for IIS and only for unsupported versions of IIS. I don't see the value add to include this into an Exchange Health Checker script.

[RandelP]

Hello,

Historically, on our Exchange 2016 setup, we successfully mitigated this vulnerability by implementing a URL rewrite rule. This approach was similar with the recommendations in the article that @Murat-Guner shared. The rule was able to effectively hide our server internal IP address from being disclosed through an empty host header in GET requests.

However, after we upgraded our version to Exchange 2019, we've hit a roadblock. The same URL rewrite rule that served us well in the past now introduces complications. Can you please provide a way to mitigate this vulnerability?