Solved

Directory traversal vulnerability in Exchange 2010 Sp3

Posted on 2014-03-25
12
1,194 Views
Last Modified: 2014-04-16
Has anyone encountered this before?  When we search for this we have found issues pertaining to Exchange 2003 but nothing relating to Exchange 2010.
We are running Exchange 2010 SP3 with Rollup 4 on a Windows Server 2008 R2 Enterprise

Our Trustwave Vulnerability scan came back with the following finding:

https://exchange.blah.com/owa/auth/logon.aspx

The web server detected running on the system is vulnerable to a directory traversal vulnerability. A directory traversal vulnerability accesses files and directories that are stored outside the web root folder.

Evidence:
GET /owa/auth/logon.aspx?..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2FWINDOWS\system32\drivers\etc\hosts%00 HTTP/1.1
Accept: */*
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)
Host: exchange.blah.com

HTTP/1.1 200 OK
Cache-Control: no-cache, no-store
Pragma: no-cache
Content-Type: text/html; charset=utf-8
Expires: -1
Set-Cookie: OutlookSession=36c13b44a53b43db9ae56f8f7b494acc; path=/; secure; HttpOnly
X-OWA-Version: 14.3.174.1
X-Powered-By: ASP.NET
Date: Sat, 22 Mar 2014 05:02:57 GMT
Content-Length: 8779

Thanks in advance for your input.
0
Comment
Question by:gemirkhanian
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 5
  • 4
  • 2
  • +1
12 Comments
 

Expert Comment

by:Globalquest
ID: 39956020
I just received the same vulnerability failure from Trustwave on a scan last night.

Running on a fully patched SBS2011 with iis 7.5.
0
 
LVL 63

Expert Comment

by:btan
ID: 39956370
The extract is from the link below. This flagging if alert is likely due to the IIS in Exchange. Have it check again as Urlscan should not be needed in 2010. Also if specific CVE is shown in trustwave scan findings then it is then even more worrisome.  We need to close low hanging

Http://technet.microsoft.com/en-us/library/bb691338(v=exchg.141).aspx

The Exchange Best Practices Analyzer is one of the most effective tools that you can run regularly to help verify that your Exchange environment is secure. The Exchange Best Practices Analyzer automatically examines your Microsoft Exchange deployment and determines whether it's configured according to Microsoft best practices. In Exchange 2010, the Exchange Best Practices Analyzer is installed as part of Exchange Setup and can be run from the Tools section of the Exchange Management Console (EMC). 
0
 

Author Comment

by:gemirkhanian
ID: 39956484
There was no CVE provided.  Is this a false positive I can report or is this a real problem I need to remediate if the best practices analyzer finds that everything is setup correctly?
0
SendBlaster Pro 4 - Bulk Email Sending Software

SendBlaster 4 Pro - Best Bulk Emailing Sending Software
Automatic Subscribe / Unsubscribe Processing
Great for Newsletters & Mass Mailings
Optional HTML & Text Composition
Integration with Google Features
Built in Spam Score Checking
Free Professional Templates - Feature Packed!

 
LVL 63

Expert Comment

by:btan
ID: 39957901
At least, it is not mapping to a known vulnerability. Scanning has tendency for false positive and it is always best to substantiate why it is false positive with another separate justification that appropriate hardening is performed.

Good to run the analyser to ascertain the level of hardening and patch level e.g.
a) Run the MBSA - http://technet.microsoft.com/en-US/security/cc184924.aspx
b) Run the Analyser - http://technet.microsoft.com/en-us/library/bb508838(EXCHG.80).aspx

The useful part for above is that they will recommend action to address or mitigate any finding of concern. E.g.For every issue, the Exchange Server Best Practices Analyzer provides three kinds of data:

It reports what it found in the Exchange Server organization that it scanned.
It provides a recommended configuration.
It provides links to more detailed information about the issue and related topics.
0
 

Accepted Solution

by:
gemirkhanian earned 0 total points
ID: 39978714
We spoke with Trustwave support regarding this and they have determined that it is a false positive.  They will be removing this from their system on May 7th.  Their recommendation is to dispute it as a false positive.

Thanks for all the recommendations on the MBSA and Analyzer.
0
 

Expert Comment

by:angeljr-datacorps
ID: 39978724
Thank you for posting this, we were flagged for the same and your post has helped me to resolve it!

By the way, our dispute was Denied.
0
 

Author Comment

by:gemirkhanian
ID: 39979401
I've requested that this question be closed as follows:

Accepted answer: 0 points for gemirkhanian's comment #a39978714

for the following reason:

Problem was a false positive, vendor support had to be contacted to determine this.
0
 
LVL 63

Expert Comment

by:btan
ID: 39979402
glad to have help, but will seek your help to mark the useful advice so that community can benefit else they may get the impression it is not of use
0
 
LVL 63

Expert Comment

by:btan
ID: 39982652
To share as I see may be useful in grading the answer, for considerations.

Please post your solution; then accept your own comment as the answer.

http://support.experts-exchange.com/customer/portal/articles/626549 self-answered
http://support.experts-exchange.com/customer/portal/articles/626862 self-answered with help
http://support.experts-exchange.com/customer/portal/articles/481419 grading
0
 

Author Comment

by:gemirkhanian
ID: 39995317
They denied my first dispute as well (after 8 days of waiting).
We talked to support and they said we need to make the statement that there is no directory traversal and that we are not leaking information.  I then copied and pasted the email that support sent us about it and referenced the ticket number.  

The dispute has now been approved.
0
 
LVL 63

Expert Comment

by:btan
ID: 39995522
thanks for sharing. looks like my advices have helped
0
 

Expert Comment

by:Globalquest
ID: 40004534
They denied our dispute as well, I have resubmitted with the notes above. When I called support they said they couldn't resolve over the phone and to resubmit online. I never received an email or instructions on how to word it to be accepted, so hopefully they take the second time.
0

Featured Post

Increase your protection from Zero Day threats!

Running two Antivirus' is never a good idea.
Taking advantage of Multiple Security layers on the other hand can often save your hide.
See which top notch security software brands have been proven to happily coexist together.
Reduce your chances of becoming a statistic.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Today, still in the boom of Apple, PC's and products, nearly 50% of the computer users use Windows as graphical operating systems. If you are among those users who love windows, but are grappling to keep the system's hard drive optimized, then you s…
If you're not part of the solution, you're part of the problem.   Tips on how to secure IoT devices, even the dumbest ones, so they can't be used as part of a DDoS botnet.  Use PRTG Network Monitor as one of the building blocks, to detect unusual…
A short tutorial showing how to set up an email signature in Outlook on the Web (previously known as OWA). For free email signatures designs, visit https://www.mail-signatures.com/articles/signature-templates/?sts=6651 If you want to manage em…

732 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question