Description: Microsoft Exchange Client Access Server Information Disclosure
Synopsis: The remote mail server is affected by an information disclosure vulnerability.
Impact: The Microsoft Exchange Client Access Server (CAS) is affected by an information disclosure vulnerability. A remote, unauthenticated attacker can exploit this vulnerability to learn the server\'s internal IP address.
See also :
http://foofus.net/?p=758
Data Received: SecurityMetrics was able to verify the issue with the following request :
GET /autodiscover/autodiscover.xml HTTP/1.0\\r Accept-Charset: iso-8859-1,utf-8;q=0.9,*;q=0.1\\r Accept-Language: en\\r Connection: Keep- Alive\\r User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0)\\r Pragma: no-cache\\r Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, image/png, */*
Which returned the following IP address :
BID : 69018
Resolution: There is no known fix at this time.
Risk Factor: Medium/ CVSS2 Base Score: 5.0 |
Solution:To resolve the issue in this example, do the following:
- Open the IIS 7 console, expand Sites, Default Web Sites and click on Autodiscover.
- Double-click Authentication.
- Right-click Basic Authentication and select Edit...
- In the Realm field, type the server\'s public hostname in the format hostname.domain.tld and then click OK.
- If applicable (e.g.: on Windows SBS 2008), repeat the above process for the Microsoft-Server-ActiveSync and EWS websites in addition to Autodiscover.
- Stop IIS and restart it
Performing the same test in this example should now yield the following response:
HTTP/1.1 401 Unauthorized
Content-Type: text/html
Server: Microsoft-IIS/7.0
WWW-Authenticate: Negotiate
WWW-Authenticate: NTLM
WWW-Authenticate: Basic realm=\"hostname.domain.tld\"
X-Powered-By: ASP.NET
Date: Fri, 05 Sep 2014 16:30:41 GMT
Connection: close
Content-Length: 58
You can test for the issue with openssl on Linux by running the following command:
$ openssl s_client -host hostname.domain.tld -port 443
|
