back to article Atlassian, Microsoft bugs on CISA’s must-patch list after exploitation spree

A recently disclosed critical vulnerability in Atlassian's Bitbucket is actively being exploited, according to the US government. The Cybersecurity and Infrastructure Security Agency (CISA) late on Friday placed the flaw – tracked as CVE-2022-36804 – on its catalog of Known Exploited Vulnerabilities (KEV), effectively a must- …

  1. Anonymous Coward
    Anonymous Coward

    Thank God ..

    .. we are in the process of ripping out all of Microsoft Exchange.

    It's only taken about 5 years to get to this stage, sigh.

  2. Anonymous Coward
    Anonymous Coward

    Connected to ... what?

    "Exchange is an email server, so it must be connected directly to the internet"

    Er... not necessarily true? Indeed, preferably not true if you've got your head screwed on?

    A/C

    1. Danny 14

      Re: Connected to ... what?

      I will bite. How do you mean? I do know you can have exchange live behind ADFS and WAP, but these current exploits require an authenticated account anyway so would get past the WAP. The calls to exchange are quite valid remote powershell calls and use an exploit via normal channels.

      How else do you mean for exchange to be able to send email externally and not be connected to the internet? How would you get OWA working for example?

      We run hybrid AD and migrated onsite to offsite exchange, this needs an exchange server to operation (no mailboxes on the server, plus there is no route for onsite exchange OUT via SMTP either - only microsoft 365 IPs can connect IN via the firewall so its about as good as I can get it. I supposed I could also hamstring IIS too if necessary.

      1. Claptrap314 Silver badge

        Re: Connected to ... what?

        Umm.. Just because you have to accept email from more-or-less anywhere in the world, that's no reason that you should accept powershell commands.

        For starters.

        1. A random security guy

          Re: Connected to ... what?

          It is not a bug; it’s a feature.

  3. J. Cook Silver badge
    Boffin

    Technically, you can, but it involves putting a content-aware proxy in-between the exchange server(s) and the firewall. while such things do exist (there's an iApp for the F5 load balancers) it also requires adding custom code to said load balancer which is not for the faint of heart. Oh, and it still wouldn't protect you against this exploit, and it'll break rather a lot of stuff that things like mobile clients use

    Exchange should only ever swap email externally though an edge server and/or an smtp gateway appliance (i.e. spam filter)- while you could hook up a node directly for SMTP exchange, it's a really bad idea. (I was against putting Edge nodes into ours until I discovered that the cloud based email security appliances we migrated to a couple years back required it; this has resulted in at least one problem where user A blocks a sender as junk, and the edge boxes dutifully start doing so and then user B complains they aren't getting emails from that sender anymore...)

    One of my projects this year is migrating to Exchange Online, which I'm pretty sure will cause the bald spot forming on my head to grow. :(

  4. A random security guy

    Exchange nightmare

    Having programmed modules for exchange and outlook, I’m still surprised that the thing actually works.

    My IT admin in a previous company told me that a rule of thumb is 1 IT Engineer per Exchange server. I may be off, but I doubt by too much.

    GSuite seems to work for most use cases.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like