Skip to main content
All CollectionsRemediations
Microsoft Exchange Client Access Server Information Disclosure Vulnerability
Microsoft Exchange Client Access Server Information Disclosure Vulnerability
Alan Butcher avatar
Written by Alan Butcher
Updated over a week ago

The Microsoft Exchange Client Access Server Information Disclosure Vulnerability when detected with a vulnerability scanner will report as a CVSS 7.5.

CVSS:

CVSS is a scoring system for vulnerability systems, it's an industry standard scoring system to mark findings against a specific number ranging from 0 to 10. They are shown as:

Microsoft Exchange Client Access Server Information Disclosure Vulnerability Information

This vulnerability went unaddressed by Microsoft for versions of IIS after 6.0 and before 10.0. The majority of advice provided by online resources suggests applying the latest patches, but as patches don't exist for versions 7.0 to 8.5, this isn't an option.

The best way to address this issue is to understand why the server reveals an internal IP address to begin with. When issuing an HTTP version 1.0 request to the server (for any URI) without the Host header set, the server will refer to itself by its internal IP address. Take for example the following request:

# ncat -ssl owa.mymailserver.net 443 GET / HTTP/1.0

This results in the following response, revealing the internal IP address of the server:

GET / HTTP/1.0
RESPONSE
HTTP/1.1 301 Moved Permanently
Cache-Control: no-cache
Pragma: no-cache
Location: https://192.168.1.56/owa/
Server: Microsoft-IIS/8.5
X-Powered-By: ASP.NET

The reason this is possible is that the HTTP 1.0 protocol doesn't require the Host header to be set by the client as part of a request. This is in contrast to HTTP 1.1, which requires the client to specify a host.

Remediation

The recommended solution to this issue is to configure the IIS server to deny requests made without the Host header set. This can be achieved through the URL rewrite module for IIS (https://www.iis.net/downloads/microsoft/url-rewrite).

A rule can be created to reset the connection when encountering a request without the Host header, as follows:

  1. Open URL Rewrite in the application's control panel.


  2. Click Add Rule(s) under Actions:


  3. Choose the Request blocking rule and click OK:


  4. Set Block access based on Host Header, Block requests that do not match the pattern, using regular expression, and set the pattern to .+ (i.e. match one or more of any characters):


  5. Click OK, the rule should then appear in URL Rewrite:


Connections made via HTTP 1.0 without a Host header will now be rejected by the server. The results can be seen below:

Did this answer your question?