Outlook Web Access

Outlook Web Access is the webmail embedded in Exchange mail server. It is used by users outside the office to get access to their emails.
Unfortunately, some version of OWA are affected by a CSRF attack.
This vulnerability affects supported editions of Microsoft Exchange Server 2003 and Microsoft Exchange Server 2007 (except Microsoft Exchange Server 2007 Service Pack 3).
Exchange 2010 is not concerned by this attack.

CSRF attack explained

The attacker hosts on his own webserver a page with a code pointing to the targeted OWA webmail domain. When the user browse this page, the code hijack his session to change the target email parameters.
The most complicated part for the attacker is to manage to make the target browse the web page: usually he puts the link in a mail.

CSRF prevention for OWA

Fortunately, it is easy to block this type of attack, since it requires a third party website. Well, easy, only if you use a Load-Balancer or a reverse-proxy with real layer 7 ability.
The ALOHA Load-balancer can be used to load-balance exchange services as well as protect your OWA users against CSRF attacks.

As explained above, a page hosted on a third party server would make the user’s browser send a request to his webmail. When doing this, the browser sets up the Referer HTTP header with the attacker’s website URL (including hostname). Even if it is easy to fake this header in normal situation, it is impossible for the attacker to change the behavior of the browser.
Which means we can easily monitor the Referer header and prevent any request coming from an unknown domain.
In some cases, a Referer from an other domain could be allowed, but only when pointing to a few URLs (OWA’s entry points).

It is important to notice that the ALOHA Load-Balancer must be used as the SSL offloader in order to be able to access all the HTTP headers.

The configuration below will explain all of this.

# valid Referer detection
  acl valid_owa_referer hdr_beg(Referer) http://webmail.company.com/ https://webmail.company.com/

# OWA entry points may have a Referer pointing to an other domain
  acl owa_welcome_url url / /owa /owa/

# don't check the Referer on welcome urls
  http-request allow if owa_welcome_url

# deny any OWA requests if the Referer does not point to Company's webmail hostname
  http-request deny if !valid_owa_referer

# allow valid requests (this one is implicite, but written for better understanding
  http-request allow

The code above won’t run any Referer check for the webmail URLs entry points and will check it for all other URLs. If a request points to a page with a Referer outside the company’s domain name, the the request is denied and your user safety is preserved.

Related links