diff --git a/.github/CODEOWNERS b/.github/CODEOWNERS index 02757f1ab8..ba8310fa0f 100644 --- a/.github/CODEOWNERS +++ b/.github/CODEOWNERS @@ -4,8 +4,9 @@ # Everything in Security is owned by those folks /Security/src/ @ethanb-msft @dbacon247 @bill-long @dpaulson45 -# Except this one which is owned by Exchange +# Except these which are owned by Exchange /Security/src/Test-ProxyLogon.ps1 @bill-long @dpaulson45 @lusassl-msft +/Security/src/Test-CVE-2021-34470.ps1 @bill-long @dpaulson45 @lusassl-msft # Rob Whaley owns these /Hybrid/ @tweekerz @bill-long @dpaulson45 @lusassl-msft diff --git a/Security/src/Test-CVE-2021-34470.ps1 b/Security/src/Test-CVE-2021-34470.ps1 new file mode 100644 index 0000000000..bfef1c42a4 --- /dev/null +++ b/Security/src/Test-CVE-2021-34470.ps1 @@ -0,0 +1,65 @@ +# Copyright (c) Microsoft Corporation. +# Licensed under the MIT License. + +[CmdletBinding()] +param ( + [Parameter()] + [switch] + $ApplyFix +) + +$ErrorActionPreference = "Stop" + +$schemaMaster = (netdom query fsmo | Select-String "Schema master\s+(\S+)").Matches.Groups[1].Value + +$schemaDN = ([ADSI]"LDAP://$($schemaMaster)/RootDSE").schemaNamingContext + +$storageGroupSchemaEntryDN = "LDAP://$($schemaMaster)/CN=ms-Exch-Storage-Group,$schemaDN" + +if (-not ([System.DirectoryServices.DirectoryEntry]::Exists($storageGroupSchemaEntryDN))) { + Write-Host "Exchange was not installed in this forest. Therefore, CVE-2021-34470 vulnerability is not present." + return +} + +$storageGroupSchemaEntry = [ADSI]($storageGroupSchemaEntryDN) +if ($storageGroupSchemaEntry.Properties["possSuperiors"].Count -eq 0) { + Write-Host "CVE-2021-34470 vulnerability is not present." + return +} + +$hasUnexpectedValues = $false + +foreach ($val in $storageGroupSchemaEntry.Properties["possSuperiors"]) { + if ($val -eq "computer") { + Write-Warning "CVE-2021-34470 vulnerability is present." + } else { + $hasUnexpectedValues = $true + Write-Warning "CVE-2021-34470 vulnerability may be present due to an unexpected superior: $val" + } +} + +if ($ApplyFix) { + if ($hasUnexpectedValues) { + $OutputFile = "$PSScriptRoot\Test-CVE-2021-34470.log" + "Attempting fix at $(Get-Date)." | Out-File $OutputFile -Append + "Value prior to fix:" | Out-File $OutputFile -Append + $storageGroupSchemaEntry.Properties["possSuperiors"] | Out-File $OutputFile -Append + } + + $isSchemaAdmin = $null -ne (whoami /groups | sls "\\Schema Admins\s+Group") + if (-not $isSchemaAdmin) { + Write-Warning "This user is not in Schema Admins. Cannot apply fix." + return + } + + Write-Host "Attempting to apply fix..." + + $rootDSE = [ADSI]("LDAP://$($schemaMaster)/RootDSE") + [void]$rootDSE.Properties["schemaUpgradeInProgress"].Add(1) + $rootDSE.CommitChanges() + + $storageGroupSchemaEntry.Properties["possSuperiors"].Clear() + $storageGroupSchemaEntry.CommitChanges() + + Write-Host "Fix was applied successfully." +} diff --git a/docs/Security/Test-CVE-2021-34470.md b/docs/Security/Test-CVE-2021-34470.md new file mode 100644 index 0000000000..bb54cecf51 --- /dev/null +++ b/docs/Security/Test-CVE-2021-34470.md @@ -0,0 +1,8 @@ +--- +title: Test-CVE-2021-34470.ps1 +parent: Security +--- + +## Test-CVE-2021-34470.ps1 + +Download the latest release: [Test-Test-CVE-2021-34470.ps1](https://github.com/microsoft/CSS-Exchange/releases/latest/download/Test-CVE-2021-34470.ps1) diff --git a/docs/index.md b/docs/index.md index 0bf97698e7..f92e5c7bc5 100644 --- a/docs/index.md +++ b/docs/index.md @@ -15,3 +15,4 @@ This project contains scripts for supporting and troubleshooting Microsoft Excha | SetupAssist.ps1 | [Docs](Setup/SetupAssist) | [Download](https://github.com/microsoft/CSS-Exchange/releases/latest/download/SetupAssist.ps1) | | SourceSideValidations.ps1 | [Docs](PublicFolders/SourceSideValidations) | [Download](https://github.com/microsoft/CSS-Exchange/releases/latest/download/SourceSideValidations.ps1) | | Test-AMSI.ps1 | [Docs](Admin/Test-AMSI) | [Download](https://github.com/microsoft/CSS-Exchange/releases/latest/download/Test-AMSI.ps1) | +| Test-CVE-2021-34470.ps1 | [Docs](Security/Test-CVE-2021-34470) | [Download](https://github.com/microsoft/CSS-Exchange/releases/latest/download/Test-CVE-2021-34470.ps1)