From 605f9b4311f4a1a749eee307c50326b53ff84031 Mon Sep 17 00:00:00 2001 From: Bill Long Date: Mon, 2 Aug 2021 16:36:01 -0700 Subject: [PATCH 1/6] CVE-2021-34470 script --- .../Test-CVE-2021-34470.ps1 | 47 +++++++++++++++++++ 1 file changed, 47 insertions(+) create mode 100644 Diagnostics/Test-CVE-2021-34470/Test-CVE-2021-34470.ps1 diff --git a/Diagnostics/Test-CVE-2021-34470/Test-CVE-2021-34470.ps1 b/Diagnostics/Test-CVE-2021-34470/Test-CVE-2021-34470.ps1 new file mode 100644 index 0000000000..0fd21e3b66 --- /dev/null +++ b/Diagnostics/Test-CVE-2021-34470/Test-CVE-2021-34470.ps1 @@ -0,0 +1,47 @@ +# Copyright (c) Microsoft Corporation. +# Licensed under the MIT License. + +[CmdletBinding()] +param ( + [Parameter()] + [switch] + $ApplyFix +) + +$ErrorActionPreference = "Stop" + +$schemaDN = ([ADSI]"LDAP://RootDSE").schemaNamingContext + +$storageGroupSchemaEntryDN = "LDAP://CN=ms-Exch-Storage-Group,$schemaDN" + +if (-not ([System.DirectoryServices.DirectoryEntry]::Exists("LDAP://CN=ms-Exch-Storage-Group,$schemaDN"))) { + Write-Host "Exchange was not installed in this forest. Therefore, CVE-2021-34470 vulnerability is not present." + return +} + +$storageGroupSchemaEntry = [ADSI]($storageGroupSchemaEntryDN) +if ($storageGroupSchemaEntry.Properties["possSuperiors"].Count -eq 0) { + Write-Host "CVE-2021-34470 vulnerability is not present." + return +} + +foreach ($val in $storageGroupSchemaEntry.Properties["possSuperiors"]) { + if ($val -eq "computer") { + Write-Warning "CVE-2021-34470 vulnerability is present." + } else { + Write-Warning "CVE-2021-34470 vulnerability may be present due to an unexpected superior: $val" + } +} + +if ($ApplyFix) { + Write-Host "Attempting to apply fix..." + + $rootDSE = [ADSI]("LDAP://RootDSE") + [void]$rootDSE.Properties["schemaUpgradeInProgress"].Add(1) + $rootDSE.CommitChanges() + + $storageGroupSchemaEntry.Properties["possSuperiors"].Clear() + $storageGroupSchemaEntry.CommitChanges() + + Write-Host "Fix was applied successfully." +} From d0e4906a4a48eef26faa383d145be3c37c340d84 Mon Sep 17 00:00:00 2001 From: Bill Long Date: Mon, 2 Aug 2021 17:10:32 -0700 Subject: [PATCH 2/6] Make sure we use the Schema Master --- .../Test-CVE-2021-34470/Test-CVE-2021-34470.ps1 | 10 ++++++---- 1 file changed, 6 insertions(+), 4 deletions(-) diff --git a/Diagnostics/Test-CVE-2021-34470/Test-CVE-2021-34470.ps1 b/Diagnostics/Test-CVE-2021-34470/Test-CVE-2021-34470.ps1 index 0fd21e3b66..33f6b052a7 100644 --- a/Diagnostics/Test-CVE-2021-34470/Test-CVE-2021-34470.ps1 +++ b/Diagnostics/Test-CVE-2021-34470/Test-CVE-2021-34470.ps1 @@ -10,11 +10,13 @@ param ( $ErrorActionPreference = "Stop" -$schemaDN = ([ADSI]"LDAP://RootDSE").schemaNamingContext +$schemaMaster = (netdom query fsmo | sls "Schema master\s+(\S+)").Matches.Groups[1].Value -$storageGroupSchemaEntryDN = "LDAP://CN=ms-Exch-Storage-Group,$schemaDN" +$schemaDN = ([ADSI]"LDAP://$($schemaMaster)/RootDSE").schemaNamingContext -if (-not ([System.DirectoryServices.DirectoryEntry]::Exists("LDAP://CN=ms-Exch-Storage-Group,$schemaDN"))) { +$storageGroupSchemaEntryDN = "LDAP://$($schemaMaster)/CN=ms-Exch-Storage-Group,$schemaDN" + +if (-not ([System.DirectoryServices.DirectoryEntry]::Exists($storageGroupSchemaEntryDN))) { Write-Host "Exchange was not installed in this forest. Therefore, CVE-2021-34470 vulnerability is not present." return } @@ -36,7 +38,7 @@ foreach ($val in $storageGroupSchemaEntry.Properties["possSuperiors"]) { if ($ApplyFix) { Write-Host "Attempting to apply fix..." - $rootDSE = [ADSI]("LDAP://RootDSE") + $rootDSE = [ADSI]("LDAP://$($schemaMaster)/RootDSE") [void]$rootDSE.Properties["schemaUpgradeInProgress"].Add(1) $rootDSE.CommitChanges() From 27fa2773fb3ef57d66e3afb96f303903340efce1 Mon Sep 17 00:00:00 2001 From: Bill Long Date: Tue, 3 Aug 2021 06:45:00 -0700 Subject: [PATCH 3/6] Move to Security folder --- .github/CODEOWNERS | 3 ++- .../src}/Test-CVE-2021-34470.ps1 | 0 docs/index.md | 1 + 3 files changed, 3 insertions(+), 1 deletion(-) rename {Diagnostics/Test-CVE-2021-34470 => Security/src}/Test-CVE-2021-34470.ps1 (100%) diff --git a/.github/CODEOWNERS b/.github/CODEOWNERS index 02757f1ab8..ba8310fa0f 100644 --- a/.github/CODEOWNERS +++ b/.github/CODEOWNERS @@ -4,8 +4,9 @@ # Everything in Security is owned by those folks /Security/src/ @ethanb-msft @dbacon247 @bill-long @dpaulson45 -# Except this one which is owned by Exchange +# Except these which are owned by Exchange /Security/src/Test-ProxyLogon.ps1 @bill-long @dpaulson45 @lusassl-msft +/Security/src/Test-CVE-2021-34470.ps1 @bill-long @dpaulson45 @lusassl-msft # Rob Whaley owns these /Hybrid/ @tweekerz @bill-long @dpaulson45 @lusassl-msft diff --git a/Diagnostics/Test-CVE-2021-34470/Test-CVE-2021-34470.ps1 b/Security/src/Test-CVE-2021-34470.ps1 similarity index 100% rename from Diagnostics/Test-CVE-2021-34470/Test-CVE-2021-34470.ps1 rename to Security/src/Test-CVE-2021-34470.ps1 diff --git a/docs/index.md b/docs/index.md index 0bf97698e7..f92e5c7bc5 100644 --- a/docs/index.md +++ b/docs/index.md @@ -15,3 +15,4 @@ This project contains scripts for supporting and troubleshooting Microsoft Excha | SetupAssist.ps1 | [Docs](Setup/SetupAssist) | [Download](https://github.com/microsoft/CSS-Exchange/releases/latest/download/SetupAssist.ps1) | | SourceSideValidations.ps1 | [Docs](PublicFolders/SourceSideValidations) | [Download](https://github.com/microsoft/CSS-Exchange/releases/latest/download/SourceSideValidations.ps1) | | Test-AMSI.ps1 | [Docs](Admin/Test-AMSI) | [Download](https://github.com/microsoft/CSS-Exchange/releases/latest/download/Test-AMSI.ps1) | +| Test-CVE-2021-34470.ps1 | [Docs](Security/Test-CVE-2021-34470) | [Download](https://github.com/microsoft/CSS-Exchange/releases/latest/download/Test-CVE-2021-34470.ps1) From a5e5eb2d2ffaf455330f36e1394e793365b701e4 Mon Sep 17 00:00:00 2001 From: Bill Long Date: Tue, 3 Aug 2021 07:20:57 -0700 Subject: [PATCH 4/6] Write a log if we have unexpected values --- Security/src/Test-CVE-2021-34470.ps1 | 12 +++++++++++- 1 file changed, 11 insertions(+), 1 deletion(-) diff --git a/Security/src/Test-CVE-2021-34470.ps1 b/Security/src/Test-CVE-2021-34470.ps1 index 33f6b052a7..7cbc4b48b5 100644 --- a/Security/src/Test-CVE-2021-34470.ps1 +++ b/Security/src/Test-CVE-2021-34470.ps1 @@ -10,7 +10,7 @@ param ( $ErrorActionPreference = "Stop" -$schemaMaster = (netdom query fsmo | sls "Schema master\s+(\S+)").Matches.Groups[1].Value +$schemaMaster = (netdom query fsmo | Select-String "Schema master\s+(\S+)").Matches.Groups[1].Value $schemaDN = ([ADSI]"LDAP://$($schemaMaster)/RootDSE").schemaNamingContext @@ -27,15 +27,25 @@ if ($storageGroupSchemaEntry.Properties["possSuperiors"].Count -eq 0) { return } +$hasUnexpectedValues = $false + foreach ($val in $storageGroupSchemaEntry.Properties["possSuperiors"]) { if ($val -eq "computer") { Write-Warning "CVE-2021-34470 vulnerability is present." } else { + $hasUnexpectedValues = $true Write-Warning "CVE-2021-34470 vulnerability may be present due to an unexpected superior: $val" } } if ($ApplyFix) { + if ($hasUnexpectedValues) { + $OutputFile = "$PSScriptRoot\Test-CVE-2021-34470.log" + "Attempting fix at $(Get-Date)." | Out-File $OutputFile -Append + "Value prior to fix:" | Out-File $OutputFile -Append + $storageGroupSchemaEntry.Properties["possSuperiors"] | Out-File $OutputFile -Append + } + Write-Host "Attempting to apply fix..." $rootDSE = [ADSI]("LDAP://$($schemaMaster)/RootDSE") From 29454a7d17238da670115d4dcabdcdb87b1ea6b9 Mon Sep 17 00:00:00 2001 From: Bill Long Date: Tue, 3 Aug 2021 07:21:10 -0700 Subject: [PATCH 5/6] Add doc to fill in later --- docs/Security/Test-CVE-2021-34470.md | 8 ++++++++ 1 file changed, 8 insertions(+) create mode 100644 docs/Security/Test-CVE-2021-34470.md diff --git a/docs/Security/Test-CVE-2021-34470.md b/docs/Security/Test-CVE-2021-34470.md new file mode 100644 index 0000000000..bb54cecf51 --- /dev/null +++ b/docs/Security/Test-CVE-2021-34470.md @@ -0,0 +1,8 @@ +--- +title: Test-CVE-2021-34470.ps1 +parent: Security +--- + +## Test-CVE-2021-34470.ps1 + +Download the latest release: [Test-Test-CVE-2021-34470.ps1](https://github.com/microsoft/CSS-Exchange/releases/latest/download/Test-CVE-2021-34470.ps1) From 60bdc67d7d04fada686a3dba72c0b198f412dd89 Mon Sep 17 00:00:00 2001 From: Bill Long Date: Tue, 3 Aug 2021 08:35:30 -0700 Subject: [PATCH 6/6] Bail if not in Schema Admins --- Security/src/Test-CVE-2021-34470.ps1 | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/Security/src/Test-CVE-2021-34470.ps1 b/Security/src/Test-CVE-2021-34470.ps1 index 7cbc4b48b5..bfef1c42a4 100644 --- a/Security/src/Test-CVE-2021-34470.ps1 +++ b/Security/src/Test-CVE-2021-34470.ps1 @@ -46,6 +46,12 @@ if ($ApplyFix) { $storageGroupSchemaEntry.Properties["possSuperiors"] | Out-File $OutputFile -Append } + $isSchemaAdmin = $null -ne (whoami /groups | sls "\\Schema Admins\s+Group") + if (-not $isSchemaAdmin) { + Write-Warning "This user is not in Schema Admins. Cannot apply fix." + return + } + Write-Host "Attempting to apply fix..." $rootDSE = [ADSI]("LDAP://$($schemaMaster)/RootDSE")