Guest User!

You are not Sophos Staff.

Thread Info
  • State Not Answered
  • +1 person also asked this people also asked this
  • Locked Locked
  • Replies 2 replies
  • Subscribers 28 subscribers
  • Views 411 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Microsoft Exchange Autodiscover User Credential Protocol Flaw Leak

djdrastic

Hi Sophos/Forumites

Had a couple of  customers ask me if we could block the following at the firewall. Will Sophos be rolling out updates to take care of this or will we have to manually try and tackle this ? Some of the URLs here I don't think will even parse in the URL List of Sophos and I think the length also makes it a no go as the XG boxes choke on long 3rd party lists I've discovered.

https://petri.com/how-to-mitigate-microsoft-exchange-autodiscover-protocol-flaw-that-leaks-user-credentials

https://github.com/guardicore/labs_campaigns/blob/master/Autodiscover/autodiscover-tlds.txt



This thread was automatically locked due to age.
Parents
  • 0

    You should update your Exchange to cover this vulnerability. 

  • 0 in reply to LuCar Toni

    How to mitigate the Exchange Server Autodiscover attack

    While use of HTTP Basic Authentication is an issue, the crux of this attack is the way Autodiscover is often implemented in Exchange Server email clients, including Outlook.

    Block Autodiscover domains at the firewall

    While Microsoft hasn’t yet issued any mitigation advice, Guardicore recommends blocking Autodiscover domains, like Autodiscover.com and Autodiscover.com.cn, at your firewall.

    Add Autodiscover domains to the local hosts file on each endpoint

    Another way to block access to Autodiscover domains is to add them to the local hosts file on each of your endpoints; essentially creating a blackhole and ensuring that email clients can’t resolve to rogue Autodiscover domains.

    Guardicore has prepared a text file that points all possible Autodiscover domain variations back to the local host (127.0.0.1). You can find the file on GitHub here.

    And for more information on modifying the local hosts file, check out Easily Edit the Hosts File in Windows 10 and How to Easily Edit the Hosts File in Windows 11 on Petri.

    Guardicore recommends developers disable the ‘fail-up’ part of the Autodiscover protocol

    Guardicore recommends developers disable the ‘fail-up’ part of the Autodiscover protocol in their products. But while we wait for a response from Microsoft, and for vendors to potentially change the way Autodiscover is implemented in their software, Guardicore has provided a couple of workarounds that should protect against credential theft.

Reply
  • 0 in reply to LuCar Toni

    How to mitigate the Exchange Server Autodiscover attack

    While use of HTTP Basic Authentication is an issue, the crux of this attack is the way Autodiscover is often implemented in Exchange Server email clients, including Outlook.

    Block Autodiscover domains at the firewall

    While Microsoft hasn’t yet issued any mitigation advice, Guardicore recommends blocking Autodiscover domains, like Autodiscover.com and Autodiscover.com.cn, at your firewall.

    Add Autodiscover domains to the local hosts file on each endpoint

    Another way to block access to Autodiscover domains is to add them to the local hosts file on each of your endpoints; essentially creating a blackhole and ensuring that email clients can’t resolve to rogue Autodiscover domains.

    Guardicore has prepared a text file that points all possible Autodiscover domain variations back to the local host (127.0.0.1). You can find the file on GitHub here.

    And for more information on modifying the local hosts file, check out Easily Edit the Hosts File in Windows 10 and How to Easily Edit the Hosts File in Windows 11 on Petri.

    Guardicore recommends developers disable the ‘fail-up’ part of the Autodiscover protocol

    Guardicore recommends developers disable the ‘fail-up’ part of the Autodiscover protocol in their products. But while we wait for a response from Microsoft, and for vendors to potentially change the way Autodiscover is implemented in their software, Guardicore has provided a couple of workarounds that should protect against credential theft.

Children
No Data