-
Notifications
You must be signed in to change notification settings - Fork 342
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Merge pull request #1795 from microsoft/main
Release 8-8-23
- Loading branch information
Showing
17 changed files
with
597 additions
and
10 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
48 changes: 48 additions & 0 deletions
48
Diagnostics/HealthChecker/Analyzer/Security/Invoke-AnalyzerSecurityCve-2023-21709.ps1
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,48 @@ | ||
# Copyright (c) Microsoft Corporation. | ||
# Licensed under the MIT License. | ||
|
||
. $PSScriptRoot\..\Add-AnalyzedResultInformation.ps1 | ||
function Invoke-AnalyzerSecurityCve-2023-21709 { | ||
[CmdletBinding()] | ||
param( | ||
[Parameter(Mandatory = $true)] | ||
[ref]$AnalyzeResults, | ||
|
||
[Parameter(Mandatory = $true)] | ||
[object]$SecurityObject, | ||
|
||
[Parameter(Mandatory = $true)] | ||
[object]$DisplayGroupingKey | ||
) | ||
|
||
Write-Verbose "Calling: $($MyInvocation.MyCommand)" | ||
|
||
<# | ||
Description: Check for CVE-2023-21709 vulnerability | ||
Affected Exchange versions: 2016, 2019 | ||
Fix: Remove TokenCacheModule from IIS | ||
Workaround: N/A | ||
#> | ||
|
||
if ($SecurityObject.IsEdgeServer -eq $false) { | ||
Write-Verbose "Testing CVE: CVE-2023-21709" | ||
|
||
if ($SecurityObject.ExchangeInformation.IISSettings.IISModulesInformation.ModuleList.Name -contains "TokenCacheModule") { | ||
Write-Verbose "TokenCacheModule detected - system is vulnerable to CVE-2023-21709 vulnerability" | ||
$params = @{ | ||
AnalyzedInformation = $AnalyzeResults | ||
DisplayGroupingKey = $DisplayGroupingKey | ||
Name = "Security Vulnerability" | ||
Details = ("{0}`r`n`t`tSee: https://portal.msrc.microsoft.com/security-guidance/advisory/{0} for more information." -f "CVE-2023-21709") | ||
DisplayWriteType = "Red" | ||
DisplayTestingValue = "CVE-2023-21709" | ||
AddHtmlDetailRow = $false | ||
} | ||
Add-AnalyzedResultInformation @params | ||
} else { | ||
Write-Verbose "TokenCacheModule wasn't detected and as a result, system is not vulnerable to CVE-2023-21709 vulnerability" | ||
} | ||
} else { | ||
Write-Verbose "Edge Server Role is not affected by this vulnerability as it has no IIS installed" | ||
} | ||
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
84 changes: 84 additions & 0 deletions
84
...nostics/HealthChecker/DataCollection/ExchangeInformation/Get-ExchangeAES256CBCDetails.ps1
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,84 @@ | ||
# Copyright (c) Microsoft Corporation. | ||
# Licensed under the MIT License. | ||
|
||
. $PSScriptRoot\..\..\Helpers\CompareExchangeBuildLevel.ps1 | ||
. $PSScriptRoot\..\..\..\..\Shared\Invoke-ScriptBlockHandler.ps1 | ||
. $PSScriptRoot\..\..\..\..\Shared\ErrorMonitorFunctions.ps1 | ||
function Get-ExchangeAES256CBCDetails { | ||
param( | ||
[Parameter(Mandatory = $false)] | ||
[String]$Server = $env:COMPUTERNAME, | ||
|
||
[Parameter(Mandatory = $true)] | ||
[System.Object]$VersionInformation | ||
) | ||
|
||
<# | ||
AES256-CBC encryption support check | ||
https://techcommunity.microsoft.com/t5/security-compliance-and-identity/encryption-algorithm-changes-in-microsoft-purview-information/ba-p/3831909 | ||
#> | ||
|
||
begin { | ||
Write-Verbose "Calling: $($MyInvocation.MyCommand)" | ||
$aes256CBCSupported = $false | ||
$msipcRegistryAclAsExpected = $false | ||
$regPathToCheck = "HKLM:\SOFTWARE\Microsoft\MSIPC\Server" | ||
# Translates to: "NetworkService", "FullControl", "ContainerInherit, ObjectInherit", "None", "Allow" | ||
# See: https://learn.microsoft.com/dotnet/api/system.security.accesscontrol.registryaccessrule.-ctor?view=net-7.0#system-security-accesscontrol-registryaccessrule-ctor(system-security-principal-identityreference-system-security-accesscontrol-registryrights-system-security-accesscontrol-inheritanceflags-system-security-accesscontrol-propagationflags-system-security-accesscontrol-accesscontroltype) | ||
$networkServiceAcl = New-Object System.Security.AccessControl.RegistryAccessRule( | ||
[System.Security.Principal.SecurityIdentifier]::new("S-1-5-20"), 983103, 3, 0, 0 | ||
) | ||
} process { | ||
# First, check if the build running on the server supports AES256-CBC | ||
if (Test-ExchangeBuildGreaterOrEqualThanSecurityPatch -CurrentExchangeBuild $VersionInformation -SU "Aug23SU") { | ||
|
||
Write-Verbose "AES256-CBC encryption for information protection is supported by this Exchange Server build" | ||
$aes256CBCSupported = $true | ||
|
||
# As build supports AES256-CBC, next step is to check that the registry key exists and permissions are set as expected | ||
$params = @{ | ||
ComputerName = $Server | ||
ScriptBlock = { Test-Path -Path $regPathToCheck } | ||
CatchActionFunction = ${Function:Invoke-CatchActions} | ||
} | ||
|
||
if ((Invoke-ScriptBlockHandler @params) -eq $false) { | ||
Write-Verbose "Unable to query Acl of registry key $regPathToCheck assuming that the key doesn't exist" | ||
} else { | ||
$params.ScriptBlock = { Get-Acl -Path $regPathToCheck } | ||
$acl = Invoke-ScriptBlockHandler @params | ||
|
||
# ToDo: As we have multiple places in HC where we query acls, we should consider creating a function | ||
# that can be used to do the acl call, similar to what we do in Get-ExchangeRegistryValues.ps1. | ||
Write-Verbose "Registry key exists and Acl was successfully queried - validating Acl now" | ||
try { | ||
$aclMatch = $acl.Access.Where({ | ||
($_.RegistryRights -eq $networkServiceAcl.RegistryRights) -and | ||
($_.AccessControlType -eq $networkServiceAcl.AccessControlType) -and | ||
($_.IdentityReference.Translate([System.Security.Principal.SecurityIdentifier]) -eq $networkServiceAcl.IdentityReference) -and | ||
($_.InheritanceFlags -eq $networkServiceAcl.InheritanceFlags) -and | ||
($_.PropagationFlags -eq $networkServiceAcl.PropagationFlags) | ||
}) | ||
|
||
if (@($aclMatch).Count -ge 1) { | ||
Write-Verbose "Acl for NetworkService is as expected" | ||
$msipcRegistryAclAsExpected = $true | ||
} else { | ||
Write-Verbose "Acl for NetworkService was not found or is not as expected" | ||
} | ||
} catch { | ||
Write-Verbose "Unable to verify Acl on registry key $regPathToCheck" | ||
Invoke-CatchActions | ||
} | ||
} | ||
} else { | ||
Write-Verbose "AES256-CBC encryption for information protection is not supported by this Exchange Server build" | ||
} | ||
} end { | ||
return [PSCustomObject]@{ | ||
AES256CBCSupportedBuild = $aes256CBCSupported | ||
RegistryKeyConfiguredAsExpected = $msipcRegistryAclAsExpected | ||
ValidAESConfiguration = (($aes256CBCSupported) -and ($msipcRegistryAclAsExpected)) | ||
} | ||
} | ||
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Oops, something went wrong.