Will the new Microsoft Exchange 0-Day CVE's be added to IPS?

Are there plans to add the new Microsoft Exchange 0-Day CVE's to IPS?

https://www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers/

If so, is there an ETA?

Thanks.

Comments

  • james.carsonjames.carson Moderator, WatchGuard Representative

    Hi @Ian_Middleon

    We have a feature request open (FBX-21243) to work on signatures for that exploit. However, as the vendor has already issued a patch, I would suggest following the guidance from Microsoft in the article you linked in order to patch your system(s).

    -James Carson
    WatchGuard Customer Support

  • We are patching. It's just nice to know it's getting blocked before even hitting the servers.

    Thanks for the info.

  • Hello James!

    Is there already something new to FBX-21243?

    Thanks.

  • None of the CVEs for the Exchange server attack are currently listed here, so currently there is no IPS signatures for them.
    https://securityportal.watchguard.com/Threats?sigVers=4

  • james.carsonjames.carson Moderator, WatchGuard Representative

    Signatures should be out soon, pending successful QA/validation.

    If you're running 12.x - 12.5.7, the definition version that will include the update is v4.1132

    If you are running 12.6.x, the version will be v18.137.

    If you'd like to follow progress and/or want updates on the release, please open a support case and mention FBX-21243. The technician can set up the alerts in that case for you.

    -James Carson
    WatchGuard Customer Support

  • edited March 2021

    The absolute lack of response for this is crazy. This is a huge attack directed directly at WatchGuard's customer base SMB's. Fortinet has already addressed this in their IPS. I guess zero day has a different meaning for WatchGuard. I have around 20 devices with total security suite and have used WatchGuard since the firebox 2. I'm definitely considering moving to Fortinet if i cant count on WatchGuard to be there when it counts. An email with instructions how to add the offending ip's manually if you cant be bothered to update ips would be expected? no?

  • james.carsonjames.carson Moderator, WatchGuard Representative

    Hi @crauner

    Like I mentioned above, IPS is updated, and is currently going through validation testing. WatchGuard doesn't push releases out without going through that testing. Many customers have automatic subscription service updates enabled, and getting an update that wasn't thoroughly tested that could potentially take a firewall down would be devastating.

    If you'd like to add IPs to your blocked sites list, you can do so using policy manager. Please see the article here for information on how to do that:
    (Import a List of Blocked Sites or Blocked Sites Exceptions)
    https://www.watchguard.com/help/docs/help-center/en-US/Content/en-US/Fireware/intrusionprevention/blocked _sites_external_list_c.html

    The exploit(s) require the Exchange server be publicly accessible on port 443 (HTTPS) so using any of the VPNs or Access Portal to access Exchange vice having an inbound rule from Any-External would also mitigate the threat.

    Following Microsoft's advice and patching your Exchange server(s) is the best and recommended course of action.

    -James Carson
    WatchGuard Customer Support

  • Increasing attacks are going to make it clear which providers respond with the best support. Anyone responsible for an exchange server is of course going to apply the Microsoft patches. The VPN suggestion for a webmail portal isnt going to be a viable option for just about anyone. it sort of goes against the reason for having a web portal. there is no question this is a microsoft related issue allowing un authenticated access on 443 but the response to these severe issues is what is most critical from a security provider. ssl rule is a proxy rule with all of the subscription services applied. some form of protection should be in place within a day or two of public release of exploit. timeliness is important. the only place i can even find info from watchguard on this is here in the user forum. These huge security items should be front and center on the watchguard homepage. at least an official statement or whitepaper somewhere. I just have to expect the same for the next major exploit. I'm on my own with Watchguard and my subscription service will not offer any timely coverage.

  • While I do understand that testing before deployment is necessary, I do agree with others here that other security vendors have been faster with communication and mitigation, regarding this matter.
    Of course, patching the server is the best way, but in cases like service providers in charge of patching many customer servers, they'd just like to know that the IPS vendor already blocks any new attempts to leverage these exploits.

  • james.carsonjames.carson Moderator, WatchGuard Representative

    I'm happy to announce that the IPS updates have gone live.

    You'll want to run a manual update to get the latest IPS definitions from your subscription services tab of FSM, or Front Panel -> Subscription Services in the WebUI if you don't have automatic updates turned on.

    The version that has the definitions is:
    18.137 -- Fireboxes running 12.6.x or better.
    4.1132 -- Fireboxes running 12.5.x or lower

    The definitions for the Exchange vulnerabilities are:
    1138767 WEB Microsoft Exchange Server Remote Code Execution Vulnerability -1 (CVE-2021-26855)
    1138774 WEB Microsoft Exchange Server Remote Code Execution Vulnerability -2 (CVE-2021-26855)
    1138775 WEB Microsoft Exchange Server Remote Code Execution Vulnerability -3 (CVE-2021-26855)
    1138776 WEB Microsoft Exchange Server Remote Code Execution Vulnerability -4 (CVE-2021-26855)

    -James Carson
    WatchGuard Customer Support

  • Good to hear but unfortunately too little too late for me. My primary clients are Town Govt, Police and Fire and Federal Tribal Govt. I had just quoted a new WatchGuard device with 3yr Total security for a Town Hall with Police and Fire to follow. I reached out yesterday and was given my area account rep and told he would reach out. Unsurprisingly no one ever did. Called in to Fortinet and have heard back from both the fed and Local Gov reps same day

  • Nothing that those of us on this forum can do about that.
    Good luck.

  • Watchguard Representative James Carson can't make sure whoever is assigned to my account reaches out as asked? Ouch Watchguard.

  • Sorry - I mean the rest of us non-WG can't be of help.
    And James is not on the boards all day, every day either.
    By your post, it sounded you were off to the Fortinet world - thus the good luck encouragement.

  • Sorry, Understood. I'm honestly sort of wishing against wishes I didn't have to move. I have been a WatchGuard loyalist for a very long time. The response on all levels from the 2 companies is completely different though. As sad as I am to go I've got to feel its the right decision. Watchguard as best as i can tell could care less about keeping me as a customer.

  • Hard to believe.
    Also, hard to know if any particular acct rep is "in" (ie. available) on any day.
    I've had good response from sales, occasionally out of the blue, and with the 'if there is anything that I can do, please ask" kind of statement.

  • Hopefully you will hear from someone soon

  • james.carsonjames.carson Moderator, WatchGuard Representative

    Hi @crauner

    I have no idea whom you are in the forums unless you tell me. If you'd like to have support help here, I'd suggest giving us a call at the number that works best for you:
    https://www.watchguard.com/wgrd-support/support-by-phone/all

    (I'd advise against posting your contact information in the forums, as anyone can see it.)

    -James Carson
    WatchGuard Customer Support

  • Thats just it. I called in yesterday. I was told Tim Osiecki was the rep and they would ask him to call.

  • james.carsonjames.carson Moderator, WatchGuard Representative

    @crauner
    I'm happy to check in, but I still don't know whom you are.
    Is there a recent case number that you've worked on with support where I can find your contact information?

    -James Carson
    WatchGuard Customer Support

  • I opened a case under my Govt clients account and i contacted support via my partner account. case under client is 01484721 Spoke with a very nice support agent but as you know as of yesterday the deal was no fix. did online chat i believe under my partner account where i was given rep info and requested callback

  • james.carsonjames.carson Moderator, WatchGuard Representative

    Looking into that now, Thank you!

    -James Carson
    WatchGuard Customer Support

  • I cannot talk for you @crauner , but know that it's not always better on the other side.
    I'm working with 2 other brands and certainly each brand has it's pro's and con's. If it may be of importance, here are the big pro's of WatchGuard when I compare the 3 brands I'm working with:

    • Firmware reliability/stability: compared to the 2 other brand, rare are the cases that the firmware contains issues needing a rollback or impacting production issues for customers. Less stress with WG firmware upgrades.
    • support: WG's support is very reactive, also for RMA replacements, no excessive ping pong's before getting a replacement box. I also once had & an Mx00 replace by an Mx70, so the customer got a hardware refresh, for free, after a technical issue.

    These are not the only reasons for choosing a provider, but they are important.

    Have a good week y'all.

Sign In to comment.