Merge pull request #1849 from microsoft/OctSu

Oct SU Changes
microsoft · Oct 10, 2023 · 138bce9 · 138bce9
2 parents a7db602 + c379bba
commit 138bce9
Show file tree

Hide file tree

Showing 31 changed files with 1,197 additions and 108 deletions.
diff --git a/Diagnostics/HealthChecker/Analyzer/Invoke-AnalyzerExchangeInformation.ps1 b/Diagnostics/HealthChecker/Analyzer/Invoke-AnalyzerExchangeInformation.ps1
@@ -376,6 +376,35 @@ function Invoke-AnalyzerExchangeInformation {
             Details = $exchangeInformation.ExtendedProtectionConfig.ExtendedProtectionConfigured
         }
         Add-AnalyzedResultInformation @params
+
+        # If any directory has a higher than expected configuration, we need to throw a warning
+        # This will be detected by SupportedExtendedProtection being set to false, as we are set higher than expected/recommended value you will likely run into issues of some kind
+        $notSupportedExtendedProtectionDirectories = $exchangeInformation.ExtendedProtectionConfig.ExtendedProtectionConfiguration |
+            Where-Object { $_.SupportedExtendedProtection -eq $false }
+
+        if ($null -ne $notSupportedExtendedProtectionDirectories) {
+            foreach ($entry in $notSupportedExtendedProtectionDirectories) {
+                $expectedValue = if ($entry.MitigationSupported -and $entry.MitigationEnabled) { "None" } else { $entry.ExpectedExtendedConfiguration }
+                $params = $baseParams + @{
+                    Details                = "$($entry.VirtualDirectoryName) - Current Value: '$($entry.ExtendedProtection)'   Expected Value: '$expectedValue'"
+                    DisplayWriteType       = "Yellow"
+                    DisplayCustomTabNumber = 2
+                    TestingName            = "EP - $($entry.VirtualDirectoryName)"
+                    DisplayTestingValue    = ($entry.ExtendedProtection)
+                }
+                Add-AnalyzedResultInformation @params
+            }
+
+            $params = $baseParams + @{
+                Details          = "`r`n`t`tThe current Extended Protection settings may cause issues with some clients types on $(if(@($notSupportedExtendedProtectionDirectories).Count -eq 1) { "this protocol."} else { "these protocols."})" +
+                "`r`n`t`tIt is recommended to set the EP setting to the recommended value if you are having issues with that protocol." +
+                "`r`n`t`tMore Information: https://aka.ms/ExchangeEPDoc"
+                DisplayWriteType = "Yellow"
+            }
+            Add-AnalyzedResultInformation @params
+        } else {
+            Write-Verbose "All virtual directories are supported for the Extended Protection value."
+        }
     }
 
     if ($null -ne $exchangeInformation.SettingOverrides) {

diff --git a/Diagnostics/HealthChecker/Analyzer/Invoke-AnalyzerIISInformation.ps1 b/Diagnostics/HealthChecker/Analyzer/Invoke-AnalyzerIISInformation.ps1
@@ -171,4 +171,30 @@ function Invoke-AnalyzerIISInformation {
         }
         Add-AnalyzedResultInformation @params
     }
+
+    ########################
+    # IIS Module Information
+    ########################
+
+    Write-Verbose "Working on IIS Module information"
+
+    # If TokenCacheModule is not loaded, we highlight that it could be added back again as Windows provided a fix to address CVE-2023-36434 (also tracked as CVE-2023-21709)
+    if ($null -eq $exchangeInformation.IISSettings.IISModulesInformation.ModuleList.Name) {
+        Write-Verbose "Module List is null, unable to provide accurate check for this."
+    } elseif ($exchangeInformation.IISSettings.IISModulesInformation.ModuleList.Name -notcontains "TokenCacheModule") {
+        Write-Verbose "TokenCacheModule wasn't detected (vulnerability mitigated) and as a result, system is not vulnerable to CVE-2023-21709 / CVE-2023-36434"
+
+        $params = $baseParams + @{
+            Name                = "TokenCacheModule loaded"
+            Details             = ("$false
+                `r`t`tThe module wasn't found and as a result, CVE-2023-21709 and CVE-2023-36434 are mitigated. Windows has released a Security Update that addresses the vulnerability.
+                `r`t`tIt should be installed on all Exchange servers and then, the TokenCacheModule can be added back to IIS (by running .\CVE-2023-21709.ps1 -Rollback).
+                `r`t`tMore Information: https://aka.ms/CVE-2023-21709ScriptDoc"
+            )
+            DisplayWriteType    = "Yellow"
+            AddHtmlDetailRow    = $false
+            DisplayTestingValue = $true
+        }
+        Add-AnalyzedResultInformation @params
+    }
 }
diff --git a/Diagnostics/HealthChecker/Analyzer/Security/Invoke-AnalyzerSecurityCve-2023-21709.ps1 b/Diagnostics/HealthChecker/Analyzer/Security/Invoke-AnalyzerSecurityCve-2023-21709.ps1
diff --git a/Diagnostics/HealthChecker/Analyzer/Security/Invoke-AnalyzerSecurityCve-2023-36434.ps1 b/Diagnostics/HealthChecker/Analyzer/Security/Invoke-AnalyzerSecurityCve-2023-36434.ps1
@@ -0,0 +1,75 @@
+# Copyright (c) Microsoft Corporation.
+# Licensed under the MIT License.
+
+. $PSScriptRoot\..\Add-AnalyzedResultInformation.ps1
+function Invoke-AnalyzerSecurityCve-2023-36434 {
+    [CmdletBinding()]
+    param(
+        [Parameter(Mandatory = $true)]
+        [ref]$AnalyzeResults,
+
+        [Parameter(Mandatory = $true)]
+        [object]$SecurityObject,
+
+        [Parameter(Mandatory = $true)]
+        [object]$DisplayGroupingKey
+    )
+
+    <#
+        Description: Check for CVE-2023-36434 vulnerability (also tracked as CVE-2023-21709)
+        Affected Exchange versions: 2016, 2019
+        Fix: Install October 2023 Windows Security Update
+        Workaround: Remove TokenCacheModule from IIS by running the CVE-2023-21709.ps1 script
+    #>
+
+    begin {
+        Write-Verbose "Calling: $($MyInvocation.MyCommand)"
+        $tokenCacheModuleVersionInformation = $SecurityObject.ExchangeInformation.IISSettings.IISTokenCacheModuleInformation
+        $tokenCacheFixedVersionNumber = $null
+        $tokenCacheVersionGreaterOrEqual = $false
+    }
+    process {
+        if ($SecurityObject.IsEdgeServer -eq $false) {
+            Write-Verbose "Testing CVE: CVE-2023-21709 / CVE-2023-36434"
+
+            if ($SecurityObject.ExchangeInformation.IISSettings.IISModulesInformation.ModuleList.Name -contains "TokenCacheModule") {
+                Write-Verbose "TokenCacheModule detected - system could be vulnerable to CVE-2023-21709 / CVE-2023-36434 vulnerability"
+
+                if ($null -ne $tokenCacheModuleVersionInformation) {
+                    Write-Verbose "TokenCacheModule build information found - performing build analysis now..."
+                    switch ($tokenCacheModuleVersionInformation.FileBuildPart) {
+                        9200 { $tokenCacheFixedVersionNumber = "8.0.9200.24514"; break } # Windows Server 2012
+                        9600 { $tokenCacheFixedVersionNumber = "8.5.9600.21613"; break } # Windows Server 2012 R2
+                        14393 { $tokenCacheFixedVersionNumber = "10.0.14393.6343"; break } # Windows Server 2016
+                        17763 { $tokenCacheFixedVersionNumber = "10.0.17763.4968"; break } # Windows Server 2019
+                        20348 { $tokenCacheFixedVersionNumber = "10.0.20348.2029"; break } # Windows Server 2022
+                        default { Write-Verbose "No fixed TokenCacheModule version available for Windows OS build: $($tokenCacheModuleVersionInformation.FileBuildPart)" }
+                    }
+
+                    if ($null -ne $tokenCacheFixedVersionNumber) {
+                        Write-Verbose "Build: $($tokenCacheModuleVersionInformation.FileBuildPart) found - testing against version: $tokenCacheFixedVersionNumber"
+                        $tokenCacheVersionGreaterOrEqual = ([system.version]$tokenCacheModuleVersionInformation.ProductVersion -ge $tokenCacheFixedVersionNumber)
+                        Write-Verbose "Version: $($tokenCacheModuleVersionInformation.ProductVersion) is greater or equal the expected version? $tokenCacheVersionGreaterOrEqual"
+                    }
+                } else {
+                    Write-Verbose "We were unable to query TokenCacheModule build information - as the module is loaded, we're assuming that it's vulnerable"
+                }
+
+                if ($tokenCacheVersionGreaterOrEqual -eq $false) {
+                    $params = @{
+                        AnalyzedInformation = $AnalyzeResults
+                        DisplayGroupingKey  = $DisplayGroupingKey
+                        Name                = "Security Vulnerability"
+                        Details             = ("{0}`r`n`t`tSee: https://portal.msrc.microsoft.com/security-guidance/advisory/{0} for more information." -f "CVE-2023-36434")
+                        DisplayWriteType    = "Red"
+                        DisplayTestingValue = "CVE-2023-36434"
+                        AddHtmlDetailRow    = $false
+                    }
+                    Add-AnalyzedResultInformation @params
+                }
+            }
+        } else {
+            Write-Verbose "Edge Server Role is not affected by this vulnerability as it has no IIS installed"
+        }
+    }
+}
diff --git a/Diagnostics/HealthChecker/Analyzer/Security/Invoke-AnalyzerSecurityCveCheck.ps1 b/Diagnostics/HealthChecker/Analyzer/Security/Invoke-AnalyzerSecurityCveCheck.ps1
@@ -6,7 +6,7 @@
 . $PSScriptRoot\Invoke-AnalyzerSecurityCve-2021-1730.ps1
 . $PSScriptRoot\Invoke-AnalyzerSecurityCve-2021-34470.ps1
 . $PSScriptRoot\Invoke-AnalyzerSecurityCve-2022-21978.ps1
-. $PSScriptRoot\Invoke-AnalyzerSecurityCve-2023-21709.ps1
+. $PSScriptRoot\Invoke-AnalyzerSecurityCve-2023-36434.ps1
 . $PSScriptRoot\Invoke-AnalyzerSecurityCve-MarchSuSpecial.ps1
 . $PSScriptRoot\Invoke-AnalyzerSecurityExtendedProtectionConfigState.ps1
 . $PSScriptRoot\Invoke-AnalyzerSecurityIISModules.ps1
@@ -129,6 +129,7 @@ function Invoke-AnalyzerSecurityCveCheck {
         "Mar23SU" = (@(NewCveEntry ("CVE-2023-21707") $ex131619))
         "Jun23SU" = (NewCveEntry @("CVE-2023-28310", "CVE-2023-32031") @($ex2016, $ex2019))
         "Aug23SU" = (NewCveEntry @("CVE-2023-38181", "CVE-2023-38182", "CVE-2023-38185", "CVE-2023-35368", "CVE-2023-35388", "CVE-2023-36777", "CVE-2023-36757", "CVE-2023-36756", "CVE-2023-36745", "CVE-2023-36744") @($ex2016, $ex2019))
+        "Oct23SU" = (NewCveEntry @("CVE-2023-36778") @($ex2016, $ex2019))
     }
 
     # Need to organize the list so oldest CVEs come out first.
@@ -202,7 +203,7 @@ function Invoke-AnalyzerSecurityCveCheck {
     Invoke-AnalyzerSecurityCve-2021-1730 -AnalyzeResults $AnalyzeResults -SecurityObject $securityObject -DisplayGroupingKey $DisplayGroupingKey
     Invoke-AnalyzerSecurityCve-2021-34470 -AnalyzeResults $AnalyzeResults -SecurityObject $securityObject -DisplayGroupingKey $DisplayGroupingKey
     Invoke-AnalyzerSecurityCve-2022-21978 -AnalyzeResults $AnalyzeResults -SecurityObject $securityObject -DisplayGroupingKey $DisplayGroupingKey
-    Invoke-AnalyzerSecurityCve-2023-21709 -AnalyzeResults $AnalyzeResults -SecurityObject $securityObject -DisplayGroupingKey $DisplayGroupingKey
+    Invoke-AnalyzerSecurityCve-2023-36434 -AnalyzeResults $AnalyzeResults -SecurityObject $securityObject -DisplayGroupingKey $DisplayGroupingKey
     Invoke-AnalyzerSecurityCve-MarchSuSpecial -AnalyzeResults $AnalyzeResults -SecurityObject $securityObject -DisplayGroupingKey $DisplayGroupingKey
     # Make sure that these stay as the last one to keep the output more readable
     Invoke-AnalyzerSecurityExtendedProtectionConfigState -AnalyzeResults $AnalyzeResults -SecurityObject $securityObject -DisplayGroupingKey $DisplayGroupingKey

diff --git a/.../HealthChecker/Analyzer/Security/Invoke-AnalyzerSecurityExtendedProtectionConfigState.ps1 b/.../HealthChecker/Analyzer/Security/Invoke-AnalyzerSecurityExtendedProtectionConfigState.ps1
@@ -88,7 +88,8 @@ function Invoke-AnalyzerSecurityExtendedProtectionConfigState {
                                 $vDirArray[0]     = $vDirArray[1]
                                 Value             = $entry.ExtendedProtection
                                 SupportedValue    = if ($entry.MitigationSupported -and $entry.MitigationEnabled) { "None" } else { $entry.ExpectedExtendedConfiguration }
-                                ConfigSupported   = $entry.ProperlySecuredConfiguration
+                                ConfigSupported   = $entry.SupportedExtendedProtection
+                                ConfigSecure      = $entry.ProperlySecuredConfiguration
                                 RequireSSL        = "$($ssl.RequireSSL) $(if($ssl.Ssl128Bit) { "(128-bit)" })".Trim()
                                 ClientCertificate = $ssl.ClientCertificate
                                 IPFilterEnabled   = $entry.MitigationEnabled
@@ -108,13 +109,17 @@ function Invoke-AnalyzerSecurityExtendedProtectionConfigState {
                     if ($p -eq "ConfigSupported") {
                         if ($o.$p -ne $true) {
                             "Red"
-                        } else {
-                            "Green"
                         }
                     } elseif ($p -eq "IPFilterEnabled") {
                         if ($o.$p -eq $true) {
                             "Green"
                         }
+                    } elseif ($p -eq "ConfigSecure") {
+                        if ($o.$p -ne $true) {
+                            "Red"
+                        } else {
+                            "Green"
+                        }
                     }
                 }
 

diff --git a/...ecker/DataCollection/ExchangeInformation/IISInformation/Get-ExchangeServerIISSettings.ps1 b/...ecker/DataCollection/ExchangeInformation/IISInformation/Get-ExchangeServerIISSettings.ps1
@@ -39,6 +39,16 @@ function Get-ExchangeServerIISSettings {
         $webSite = Invoke-ScriptBlockHandler @params -ScriptBlock ${Function:Get-IISWebSite} -ArgumentList (, $exchangeWebSites) -ScriptBlockDescription "Get-IISWebSite"
         $webApplication = Invoke-ScriptBlockHandler @params -ScriptBlock ${Function:Get-IISWebApplication} -ScriptBlockDescription "Get-IISWebApplication"
 
+        # Get the TokenCacheModule build information as we need it to perform version testing
+        Write-Verbose "Trying to query TokenCacheModule version information"
+        $tokenCacheModuleParams = @{
+            ComputerName           = $Server
+            ScriptBlockDescription = "Get TokenCacheModule version information"
+            ScriptBlock            = { [System.Diagnostics.FileVersionInfo]::GetVersionInfo("$env:windir\System32\inetsrv\cachtokn.dll") }
+            CatchActionFunction    = ${Function:Invoke-CatchActions}
+        }
+        $tokenCacheModuleVersionInformation = Invoke-ScriptBlockHandler @tokenCacheModuleParams
+
         # Get the shared web configuration files
         $sharedWebConfigPaths = @($webApplication.ConfigurationFileInfo.LinkedConfigurationFilePath | Select-Object -Unique)
         $sharedWebConfig = $null
@@ -97,12 +107,13 @@ function Get-ExchangeServerIISSettings {
         }
     } end {
         return [PSCustomObject]@{
-            ApplicationHostConfig    = $applicationHostConfig
-            IISModulesInformation    = $iisModulesInformation
-            IISConfigurationSettings = $iisConfigurationSettings
-            IISWebSite               = $webSite
-            IISWebApplication        = $webApplication
-            IISSharedWebConfig       = $sharedWebConfig
+            ApplicationHostConfig          = $applicationHostConfig
+            IISModulesInformation          = $iisModulesInformation
+            IISTokenCacheModuleInformation = $tokenCacheModuleVersionInformation
+            IISConfigurationSettings       = $iisConfigurationSettings
+            IISWebSite                     = $webSite
+            IISWebApplication              = $webApplication
+            IISSharedWebConfig             = $sharedWebConfig
         }
     }
 }
diff --git a/...ics/HealthChecker/Tests/DataCollection/E15/Exchange/IIS/GetVersionInformationCachTokn.xml b/...ics/HealthChecker/Tests/DataCollection/E15/Exchange/IIS/GetVersionInformationCachTokn.xml
@@ -0,0 +1,42 @@
+<Objs Version="1.1.0.1" xmlns="http://schemas.microsoft.com/powershell/2004/04">
+  <Obj RefId="0">
+    <TN RefId="0">
+      <T>System.Diagnostics.FileVersionInfo</T>
+      <T>System.Object</T>
+    </TN>
+    <ToString>File:             C:\windows\System32\inetsrv\cachtokn.dll_x000D__x000A_InternalName:     cachtokn.dll_x000D__x000A_OriginalFilename: cachtokn.dll_x000D__x000A_FileVersion:      8.5.9600.0 (rs1_release.160715-1616)_x000D__x000A_FileDescription:  token cache provider_x000D__x000A_Product:          Internet Information Services_x000D__x000A_ProductVersion:   8.5.9600.0_x000D__x000A_Debug:            False_x000D__x000A_Patched:          False_x000D__x000A_PreRelease:       False_x000D__x000A_PrivateBuild:     False_x000D__x000A_SpecialBuild:     False_x000D__x000A_Language:         Language Neutral_x000D__x000A_</ToString>
+    <Props>
+      <S N="Comments"></S>
+      <S N="CompanyName">Microsoft Corporation</S>
+      <I32 N="FileBuildPart">9600</I32>
+      <S N="FileDescription">token cache provider</S>
+      <I32 N="FileMajorPart">8</I32>
+      <I32 N="FileMinorPart">5</I32>
+      <S N="FileName">C:\windows\System32\inetsrv\cachtokn.dll</S>
+      <I32 N="FilePrivatePart">0</I32>
+      <S N="FileVersion">8.5.9600.0 (rs1_release.160715-1616)</S>
+      <S N="InternalName">cachtokn.dll</S>
+      <B N="IsDebug">false</B>
+      <B N="IsPatched">false</B>
+      <B N="IsPrivateBuild">false</B>
+      <B N="IsPreRelease">false</B>
+      <B N="IsSpecialBuild">false</B>
+      <S N="Language">Language Neutral</S>
+      <S N="LegalCopyright">© Microsoft Corporation. All rights reserved.</S>
+      <S N="LegalTrademarks"></S>
+      <S N="OriginalFilename">cachtokn.dll</S>
+      <S N="PrivateBuild"></S>
+      <I32 N="ProductBuildPart">9600</I32>
+      <I32 N="ProductMajorPart">8</I32>
+      <I32 N="ProductMinorPart">5</I32>
+      <S N="ProductName">Internet Information Services</S>
+      <I32 N="ProductPrivatePart">0</I32>
+      <S N="ProductVersion">8.5.9600.0</S>
+      <S N="SpecialBuild"></S>
+    </Props>
+    <MS>
+      <Version N="FileVersionRaw">8.5.9600.0</Version>
+      <Version N="ProductVersionRaw">8.5.9600.0</Version>
+    </MS>
+  </Obj>
+</Objs>