microsoft · bill-long · Aug 3, 2021 · Aug 2, 2021 · Aug 3, 2021 · Aug 3, 2021
@@ -4,8 +4,9 @@
 # Everything in Security is owned by those folks
 /Security/src/   @ethanb-msft @dbacon247 @bill-long @dpaulson45
 
-# Except this one which is owned by Exchange
+# Except these which are owned by Exchange
 /Security/src/Test-ProxyLogon.ps1   @bill-long @dpaulson45 @lusassl-msft
+/Security/src/Test-CVE-2021-34470.ps1   @bill-long @dpaulson45 @lusassl-msft
 
 # Rob Whaley owns these
 /Hybrid/        @tweekerz @bill-long @dpaulson45 @lusassl-msft

@@ -0,0 +1,65 @@
+# Copyright (c) Microsoft Corporation.
+# Licensed under the MIT License.
+
+[CmdletBinding()]
+param (
+    [Parameter()]
+    [switch]
+    $ApplyFix
+)
+
+$ErrorActionPreference = "Stop"
+
+$schemaMaster = (netdom query fsmo | Select-String "Schema master\s+(\S+)").Matches.Groups[1].Value
+
+$schemaDN = ([ADSI]"LDAP://$($schemaMaster)/RootDSE").schemaNamingContext
+
+$storageGroupSchemaEntryDN = "LDAP://$($schemaMaster)/CN=ms-Exch-Storage-Group,$schemaDN"
+
+if (-not ([System.DirectoryServices.DirectoryEntry]::Exists($storageGroupSchemaEntryDN))) {
+    Write-Host "Exchange was not installed in this forest. Therefore, CVE-2021-34470 vulnerability is not present."
+    return
+}
+
+$storageGroupSchemaEntry = [ADSI]($storageGroupSchemaEntryDN)
+if ($storageGroupSchemaEntry.Properties["possSuperiors"].Count -eq 0) {
+    Write-Host "CVE-2021-34470 vulnerability is not present."
+    return
+}
+
+$hasUnexpectedValues = $false
+
+foreach ($val in $storageGroupSchemaEntry.Properties["possSuperiors"]) {
+    if ($val -eq "computer") {
+        Write-Warning "CVE-2021-34470 vulnerability is present."
+    } else {
+        $hasUnexpectedValues = $true
+        Write-Warning "CVE-2021-34470 vulnerability may be present due to an unexpected superior: $val"
+    }
+}
+
+if ($ApplyFix) {
+    if ($hasUnexpectedValues) {
+        $OutputFile = "$PSScriptRoot\Test-CVE-2021-34470.log"
+        "Attempting fix at $(Get-Date)." | Out-File $OutputFile -Append
+        "Value prior to fix:" | Out-File $OutputFile -Append
+        $storageGroupSchemaEntry.Properties["possSuperiors"] | Out-File $OutputFile -Append
+    }
+
+    $isSchemaAdmin = $null -ne (whoami /groups | sls "\\Schema Admins\s+Group")
+    if (-not $isSchemaAdmin) {
+        Write-Warning "This user is not in Schema Admins. Cannot apply fix."
+        return
+    }
+
+    Write-Host "Attempting to apply fix..."
+
+    $rootDSE = [ADSI]("LDAP://$($schemaMaster)/RootDSE")
+    [void]$rootDSE.Properties["schemaUpgradeInProgress"].Add(1)
+    $rootDSE.CommitChanges()
+
+    $storageGroupSchemaEntry.Properties["possSuperiors"].Clear()
+    $storageGroupSchemaEntry.CommitChanges()
+
+    Write-Host "Fix was applied successfully."
+}
@@ -0,0 +1,8 @@
+---
+title: Test-CVE-2021-34470.ps1
+parent: Security
+---
+
+## Test-CVE-2021-34470.ps1
+
+Download the latest release: [Test-Test-CVE-2021-34470.ps1](https://github.com/microsoft/CSS-Exchange/releases/latest/download/Test-CVE-2021-34470.ps1)
@@ -15,3 +15,4 @@ This project contains scripts for supporting and troubleshooting Microsoft Excha
 | SetupAssist.ps1                      | [Docs](Setup/SetupAssist)                              | [Download](https://github.com/microsoft/CSS-Exchange/releases/latest/download/SetupAssist.ps1)                      |
 | SourceSideValidations.ps1            | [Docs](PublicFolders/SourceSideValidations)            | [Download](https://github.com/microsoft/CSS-Exchange/releases/latest/download/SourceSideValidations.ps1)            |
 | Test-AMSI.ps1                        | [Docs](Admin/Test-AMSI)                                | [Download](https://github.com/microsoft/CSS-Exchange/releases/latest/download/Test-AMSI.ps1)                        |
+| Test-CVE-2021-34470.ps1              | [Docs](Security/Test-CVE-2021-34470)                   | [Download](https://github.com/microsoft/CSS-Exchange/releases/latest/download/Test-CVE-2021-34470.ps1)