Ask a question


How can we help you today?

Ask Question
Manage notifications
Subscribe to this question
Andrew Stefaniuk

Exchange 2019 & Web Server Internal IP Address/Internal Network Name Disclosure Vulnerability

Hello Group;

below are the results of an audit of my newly migrated Exchange 2013 to 2019 as per the guide (Thanks Mariette, Great work) but now I'm leaking my internal IP address information both in email headers and TCP Get requests.

It has me thinking about what is disclosed in the below response header and a need to tighten the disclosed information that results with the default install of IIS when installing Exchange as per the guide, like seeing the IIS version, the network machine name, and the private IP address.

I see there is and extension offered by iis.net to rewrite URL's https://www.iis.net/downloads/microsoft/url-rewrite , But i'm not sure this will solve Exchange header disclosures. 

Anyone have thought or have dealt with audit scans and disclosures?

Andrew

>>>>> audit >>>>>

The remote check for the web server internal IP address sends a HTTP GET request to the target web server. The QID is flagged if a "Content-location:" header or a 3xx redirect address in an HTTP response contains an RFC1918 IP address.

PCI DSS 3.2 requirement 1.3.7 "do not disclose private IP addresses and routing information to unauthorized parties".
This is a PCI Fail since confidential information about your network is leaked.

 

GET / HTTP/1.0

HTTP/1.1 302 Moved Temporarily
Cache-Control: no-cache
Pragma: no-cache
Location: https://192.168.27.7/owa/
Server: Microsoft-IIS/10.0
X-FEServer: JDB-EX19
X-RequestId: 0f784c06-e328-41f1-8a42-0b026793e85d
Date: Wed, 29 Apr 2020 20:11:26 GMT
Connection: close
Content-Length: 0

 

<<<<

asked04/30/2020 13:41
1727 views
Add Comment
Mariette Knap

I wrote a URL Rewriter rule some time ago that blocks HTTP 1.0 but I have to find it....checking now :)

Andrew Stefaniuk

Hi...any luck finding the rewrite rule?

 

replied 04/30/2020 18:45
Mariette Knap

This will block HTTP 1.0 requests

        <rule name="Block HTTP 1.0" enabled="true" patternSyntax="Wildcard" stopProcessing="true">
          <match url="*" />
          <conditions logicalGrouping="MatchAll" trackAllCaptures="false">
            <add input="{SERVER_PROTOCOL}" pattern="HTTP/1.0" />
          </conditions>
          <action type="AbortRequest" />
        </rule>

 

replied 05/01/2020 05:40
Reply
Mariette Knap

I think it is HTTP 1.0 doing that. Why not block that?

Andrew Stefaniuk

Maybe, but here is a heavily redacted email header that discloses the same information. 

I still think it may be why I'm still having an issue with large service providers blocking email (SPF does not include internal IPs)

https://server-essentials.com/community/answers/421-442-error-after-migration-from-exchange-2103-to-2019-in-an-sbs2008-scenario

and as usual, Exchange picked the highest preference number of all the listed MX servers. mx3c2.megamailservers.com really hates our email server

below is the delay message..

Diagnostic information for administrators:

Generating server: JDB-EX19.<redacted>.lan
Receiving server: mx3c2.megamailservers.com (216.251.43.73)


s<redacted>s@<redacted>.net
Server at mx3c2.megamailservers.com (216.251.43.73) returned '400 4.4.7 Message delayed'
4/29/2020 5:24:30 PM - Server at mx3c2.megamailservers.com (216.251.43.73) returned '451 4.4.397 Error communicating with target host. -> 421 4.4.2 Connection dropped due to SocketError'

Original message headers:

Received: from JDB-EX19.<redacted>.lan (192.168.27.7) by JDB-EX19.<redacted>.lan
 (192.168.27.7) with Microsoft SMTP Server (version=TLS1_2,
 cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.2.529.5; Wed, 29 Apr 2020
 09:38:32 -0400
Received: from JDB-EX19.<redacted>.lan ([fe80::3946:c929:6561:9cb0]) by
 JDB-EX19.<redacted>.lan ([fe80::3946:c929:6561:9cb0%6]) with mapi id
 15.02.0529.005; Wed, 29 Apr 2020 09:38:32 -0400
From: <redacted>Benefits <<redacted>.ca>
To: "<redacted>@<redacted>.net" <redacted>
Subject: <redacted>
Thread-Topic: <redacted>
Thread-Index: AdYeKwzBzsvXxRJkTOqArZDVShZrFQ==
Date: Wed, 29 Apr 2020 13:38:32 +0000
Message-ID: <redacted>.ca>
Accept-Language: en-CA, en-US
Content-Language: en-US
X-MS-Has-Attach: yes
X-MS-TNEF-Correlator:
x-originating-ip: [192.168.27.44]
Content-Type: multipart/mixed;
    boundary="_007_2583f408fce74a8a99c956c5e21b8aed<redacted>"
MIME-Version: 1.0

replied 04/30/2020 15:32
Host

That is an easy one. Run this on your Exchange Server

# Remove headers
Get-SendConnector | Where-Object {$_.Enabled -eq $true} | Remove-ADPermission –User 'Nt Authority\Anonymous Logon' –ExtendedRights 'ms-Exch-Send-Headers-Routing'

# Restart IIS and Microsoft Exchange Transport Services

iireset
Restart-Service MSExchangeTransport

 

replied 04/30/2020 16:10
Andrew Stefaniuk

Thanks Mariette, that work to remove the internal IP and internal DNS names from the email header.

 

replied 04/30/2020 16:31
Reply
Last Activity 05/01/2020 05:40

No answers found

Add an Answer