Mitigating MS15-034 exploit

Posted on by
2

WarningUpdate: Made changes to reflect that IIS Request Filtering will not work.

This week, Microsoft released a security fix MS15-034 (KB3042553) for IIS which potentially allows for remote code execution on IIS, denial of service attacks (DOS) or bugchecking of servers. Since Exchange leverages IIS, Exchange servers are affected.

The vulnerability is easy to exploit, using an HTTP or HTTPS request and specifying a Range header with a value of 18446744073709551615 (maximum 64-bit unsigned integer). The Range header, introduced in the HTTP/1.1 specification, can be used by the requester to receive only a portion of data, for example the first few bytes of a JPG to determine its dimensions.The issue occurs when you specify out of bounds value. for example, when using cURL you can specify:

curl -v https://exchangeserver.contoso.com/iisstart.htm -H "Host: contoso.com" -H "Range: bytes = 0-8192" -k
Exchange-fellow Dave Stork did a nice write-up on the issue and how to prevent it from happening, i.e.
  • The most recommended solution is of course to install the KB3042553 security fix on servers running IIS, starting with servers that are internet-facing.
  • Filter requests on your reverse proxy, load balancer or IPS solution:
    • KEMP has provided instructions how to accomplish this on their Loadmasters here.
    • F5 has provided instructions here.
    • ISC SANS institute provided instructions for SNORT here.
  • Disable IIS kernel caching, but this is not recommended due to negative impact on performance.

Unfortunately, Request Filtering is not an option so you can not prevent the exploit using IIS’ built-in Request Filtering feature. The Request Filtering will occur after parsing of the Range header, and it is in this parsing causing the issue.

Microsoft Ignite 2015 Countdown

Posted on by
Reply

ignite ButtonIn only 2 weeks, the Microsoft Ignite event will be held at Chicago, USA. With the demise of Microsoft Exchange Conference, this is the major Microsoft conference this year. Its the place where people involved with Exchange will get updated on next version of Exchange. It is also the place to be informed in related areas, such as Office 365, Office 2016 or Azure, or catch up with your peers.

Microsoft recently revealed a small glimpse of what’s coming in Exchange 2016, such as modern attachments in OWA, which will allow you to send links to attachments stored on OneDrive for Business instead of embedding them in the message.  The article not only provides teasers as Exchange on-premises will – hopefully – be brought more up to par with the Exchange Online offering. It will also give many people peace of mind as there will be another version of Exchange on-premises.

In just 3 days, a whopping number of 82 sessions related to Exchange or Exchange Online will be held, so creating a schedule could be challenging. I expect these sessions t to reveal a lot more details on Exchange 2016 and its new features or enhancements. Million dollar question: will the IOPS requirement again change significantly? Be advised that the schedule is still not 100% fixed, so check back often for updates or plan for alternative sessions.

I am sure Microsoft will make this new consolidated conference a success. For those attending or presenting, I wish you a great time in Chicago at Ignite or one of the side events or at one of the many parties such as ENow’s Scheduled Maintenance. Unfortunately, I will not be attending Microsoft Ignite. For myself or others looking for session contents, Microsoft stated Ignite sessions will be recorded and be made available within 48 hours.

On another note, I will be at IT/DEV Connections later this year in Las Vegas. With Jaap Wesselius, I will be hosting a workshop on ‘Managing Exchange Online and Exchange On-Premises using Powershell’. If you plan to visit another conference this year, be sure to consider Connections, which will be held from September 14th-17th in Las Vegas, USA. Connections is independent, will have lots of sessions on Exchange on-premises as well as Office 365 topics. Sessions will be hosted by well-known speakers from the industry.

The UC Architects Podcast Ep51

Posted on by
2

iTunes-Podcast-logo[1]Episode 51 of The UC Architects podcast is now available. This episode is hosted by Steve Goodman who is joined by Dave Stork and John Cook.. Editing was done by Andrew Price.

Some of the topics discussed in this episode are:

  • Exchange 2013 CU8
  • Exchange 2010 SP3 CU9
  • Exchange ActiveSync onboarding to Office 365
  • Exchange 2013 Hybrid Config Wizard
  • Office 2013 modern auth public preview
  • Staying informed of Office 365 changes
  • Office 2016 preview
  • Updates for Outlook for iOS
  • Azure AD Sync
  • Office 365 MDM
  • Questions from listeners
  • Lync Kerberos Account
  • Lync/Skype for Business Network Planning for Silk Code
  • Controlling Lync/Skype for Business with your arms
  • Get ready for Skype for Business
  • Updates and Skype for Business
  • Microsoft Ignite
  • UCBUG
  • UCDAY
  • UCExpo

You can download the podcast here or you can subscribe to the podcasts using iTunes, Zune or use the RSS feed.

About
The UC Architects is a bi-weekly community podcast by people with a passion for Unified Communications; our main focus is on Exchange, Lync or related subjects.

iOS 8.3 Exchange-related fixes

Posted on by
Reply

iPhone 6 iOSToday, Apple released an update for iOS which supposedly fixes, amongst other things, some Exchange-related issues. The release notes of iOS 8.3 mentions the following Exchange-related fixes:

  • Exchange out-of-office message can now be edited separately for external replies.
  • Improves recovery of Exchange accounts from temporary connection problems.
  • Fixes an issue that caused Exchange meetings with long notes to be truncated.

As for any update, I’d recommend to thoroughly test this in a test and acceptance environment first, prior to allowing access to your production environment. Apart from potentially blocking the new iOS, monitor the support forums from Apple and Microsoft for related issues. To block a specific version of iOS, consult this page.

More information on known issues with Exchange ActiveSync and 3rd party devices can be found in KB2563324.

Exchange 2013 Cumulative Update 8

Posted on by
Reply

Ex2013 LogoToday, Cumulative Update 8 for Exchange Server 2013 was released by the Exchange Team (KB3030080). This update raises Exchange 2013 version number to 15.0.1076.9.

This Cumulative Update introduces changes in the following areas:

  • Calendar and Contact Modern Public Folders favorites added in Outlook are now accessible in OWA.
  • Batch Migration of Public Folders to 2013 improves migration throughput and PF migration experience.
  • Increased support limits for Public Folders with Exchange on-premises deployments (500,000 for co-existence, or 1,000,000 for CU8-only deployments). Number of supported PF mailboxes stands at 100 though, with a per-PF mailbox limit of 100,000 Public Folders.
  • Supported EAS clients are now redirected to Office 365 upon successful Hybrid migration.

Next to DST corrections, this Cumulative Update introduces the following fixes:

  • 3045301 SMTP is not transported over TLS 1.1 or TLS 1.2 protocol in an Exchange Server 2013 environment
  • 3040681 MapiExceptionTimeout error during a hierarchy synchronization process of multiple public folders in Exchange Server 2013
  • 3037417 Outlook cannot download an OAB file in an Exchange Server 2013 environment that mixes Exchange Server 2010
  • 3037291 Can’t add members to Outlook contact group by using MAPI over HTTP
  • 3036952 Mailbox quota warning messages are not sent out after you migrate from Exchange Server 2010 to Exchange Server 2013
  • 3036374 Incorrect NDR size limit message is displayed for German localization in an Exchange Server 2013 environment
  • 3036365 “The specified address is not recognized or does not exist” error message in an Exchange Server 2013 environment
  • 3032153 Recurring events in Calendar over DST are not adjusted on all ActiveSync devices in all Exchange Server environments
  • 3031133 Default folders are duplicated after you migrate mailboxes to Exchange Server 2013
  • 3031069 Mails are spoofed in Office 365 or in an Exchange Server 2013 environment
  • 3030629 Outlook cannot open a shared folder on which a group you attend has the Reviewer permission in Exchange Server 2013
  • 3018518 Garbled text in the Japanese “From” field in a forwarded DBCS message
  • 3016440 Public folder mailbox quarantined
  • 3012266 Update to increase availability address spaces to 200 in Exchange Server 2013
  • 3011579 SaveChanges fails and generates a MAPI_E_NOT_FOUND error message on a large message body in Exchange 2013 CU6
  • 3006861 “The SMTP address has no mailbox associated with it” error when you access a user’s mailbox by using EWS application
  • 3003974 Improved support for MSG files in an Exchange Server 2013 environment where OPENTEXT products are used
  • 2988060 Cannot see the auditing results for an HttpModule-based extension for MAPI over HTTP protocol in Exchange Server 2013
  • 2986941 “An Active Directory error 0x51 occurred” error when you run the “Setup /PrepareAD” command from a DC in Exchange 2013
  • 2961741 Exchange Server 2013 delegated setup fails when the setup account is a member of Domain Admins

Notes:

  • When using Exchange hybrid deployments or Exchange Online Archiving (EOA), you are required to stay current.
  • Previously released CU7 introduced changes to prevent restoration of pre-CU7 databases. Pre-CU7 users are advised to perform a full backup post-upgrade to CU7 or later.
  • Previously released CU7 added support for hierarchies containing 250,000 modern public folders. Consult this article for co-existence scenarios.
  • Previously released CU5 introduced OAB architectural changes which are documented here. If you are affected, it is recommended to update CAS servers prior to Mailbox servers.

This Cumulative Update does not include schema or Active Directory changes when compared to Cumulative Update 7. If you have deployed a version earlier than CU7, make sure you run PrepareSchema /PrepareAD.  If you want to speed up the Cumulative Update installation process, you can temporarily disable certificate revocation checking as described here.

Note that Cumulative Updates can be installed directly, i.e. no need to install RTM or Service Packs prior to installing Cumulative Updates. Note that once installed, you can’t uninstall a Cumulative Update nor any of the installed Exchange server roles. The order of upgrading servers is irrelevant, unlike with previous generations of Exchange.

Finally, and I can’t emphasize this enough: For any Hotfix, Rollup, Service Pack or Cumulative Update, I’d recommend to thoroughly test this in a test and acceptance environment first, prior to implementing it in production. When you lack such facilities, hold out a week or two and monitor the comments on the release article or TechNet forum for any issues.

You can download Exchange 2013 Cumulative Update 8 here; UM Language Packs can be found here.