Comments on: Reducing zero-day vulnerability in Microsoft Exchange Server with Citrix Web App Firewall https://www.citrix.com/blogs/2022/10/04/zero-day-vulnerability-microsoft-exchange-server-with-citrix-web-app-firewall/ Official Citrix Blogs Mon, 10 Oct 2022 15:22:00 +0000 hourly 1 https://wordpress.org/?v=6.5.5 By: Muhammad https://www.citrix.com/blogs/2022/10/04/zero-day-vulnerability-microsoft-exchange-server-with-citrix-web-app-firewall/#comment-198296 Mon, 10 Oct 2022 15:22:00 +0000 https://citrixblogs.wpengine.com/?p=174258232#comment-198296 In reply to Citrix.

TAC acknowledged a known issue with the v93 signatures and asked to update the signatures version to v95.

]]> By: Citrix https://www.citrix.com/blogs/2022/10/04/zero-day-vulnerability-microsoft-exchange-server-with-citrix-web-app-firewall/#comment-198295 Mon, 10 Oct 2022 15:03:00 +0000 https://citrixblogs.wpengine.com/?p=174258232#comment-198295 In reply to Muhammad.

Thanks for reaching out. This sounds like it could be a separate, unrelated issue. Please contact Citrix Support at https://www.citrix.com/support/.

]]> By: Muhammad https://www.citrix.com/blogs/2022/10/04/zero-day-vulnerability-microsoft-exchange-server-with-citrix-web-app-firewall/#comment-198293 Fri, 07 Oct 2022 06:02:00 +0000 https://citrixblogs.wpengine.com/?p=174258232#comment-198293 Thanks for the detailed article. After updating the signature some of the other WAF profiles which had the web-iis signatures enabled are breaking the application for a specific signature match which wasn’t happening before:

msg=Signature violation rule ID 1029: web-iis scripts-browse access

This signature rule says:

WEB-IIS scripts-browse access

<Match type=”LITERAL”>/scripts/

nessus,11032

However the URL has no “/scripts/” literal string in it but still the application HTTP requests match this signature & gets BLOCKED.

Is there a way to roll back the signature version to previous one ?

is this a BUG ?

]]>