The Microsoft Exchange Client Access Server Information Disclosure Vulnerability when detected with a vulnerability scanner will report it as a CVSS 7.5.

CVSS:

CVSS is a scoring system for vulnerability systems, its an industry standard scoring system to mark findings against a specific number ranging from 0 to 10. They are shown as:

Microsoft Exchange Client Access Server Information Disclosure Vulnerability Information

This vulnerability went unaddressed by Microsoft for versions of IIS after 6.0 and before 10.0. The majority of advice provided by online resources suggests applying the latest patches, but as patches don't exist for version 7.0 to 8.5, this isn't an option.

The best way to address this issue is to understand why the server reveals an internal IP address to begin with. When issuing an HTTP version 1.0 request to the server (for any URI) without the Host header set, the server will refer to itself by its internal IP address. Take for example the following request:

# ncat -ssl owa.mymailserver.net 443 GET / HTTP/1.0

This results in the following response, revealing the internal IP address of the server:

GET / HTTP/1.0
RESPONSE
HTTP/1.1 301 Moved Permanently
Cache-Control: no-cache
Pragma: no-cache
Location: https://192.168.1.56/owa/
Server: Microsoft-IIS/8.5
X-Powered-By: ASP.NET

The reason this is possible is because the HTTP 1.0 protocol doesn't require the Host header to be set by the client as part of a request. This is in contrast to HTTP 1.1, which requires the client to specify a host.

Remediation

Recommended solution to this issue is to configure the IIS server to deny requests made without the Host header set. This can be achieved through the URL rewrite module for IIS (https://www.iis.net/downloads/microsoft/url-rewrite).

A rule can be created to reset the connection when encountering a request without the Host header, as follows:

  1. Open URL Rewrite in the application's control panel.


  2. Click Add Rule(s) under Actions:


  3. Choose Request blocking rule and click OK:


  4. Set Block access based on Host Header, Block requests that do not match the pattern, using regular expression and set the pattern to .+ (i.e. match one or more of any characters):


  5. Click OK, the rule should then appear in URL Rewrite:


Connections made via HTTP 1.0 without a Host header will now be rejected by the server. The results can be seen below:

Did this answer your question?