On January 10, 2023, Microsoft released new Security Updates for Exchange 2013 CU23, Exchange 2016 CU23 and Exchange 2019 CU11 and CU12.
In this Security Update, the following CVEs with severity rating ‘Important’ are fixed:
- CVE-2023-21745 - Microsoft Exchange Server Spoofing Vulnerability (Spoofing)
- CVE-2023-21761 - Microsoft Exchange Server Information Disclosure Vulnerability (Information disclosure)
- CVE-2023-21762 - Microsoft Exchange Server Spoofing Vulnerability (Spoofing)
- CVE-2023-21763 - Microsoft Exchange Server Elevation of Privilege Vulnerability (Elevation of privilege)
- CVE-2023-21764 - Microsoft Exchange Server Elevation of Privilege Vulnerability (Elevation of privilege)
Besides fixing the CVEs, a new security feature is introduced in this SU as well: PowerShell Serialization Payload Signing. Serialization is the process of converting an object (PowerShell output) into a stream of bytes that can be stored in a file for example. An example of serialization is the Export-Csv command, where an object is converted in plain text that is stored on disk.
To prevent tampering with serialized data, Microsoft has added certificate based signing of PowerShell serialization payloads. The certificate used for signing is the Exchange Auth certificate, a certificate that is created when an Exchange server is installed, and it has a lifetime of five years. There’s one certificate that’s used on all Exchange servers. To manage this certificate, Microsoft has released a new script called ‘MonitorExchangeAuthCertificate.ps1’ that can be used to manage this Auth Certificate. More information about this script and a download location can be found on github: https://microsoft.github.io/CSS-Exchange/Admin/MonitorExchangeAuthCertificate/
More information and downloads:
A couple of closing remarks:
- Exchange 2013 is out of support as of April 2023 and no more security updates will be released after this date. If you are still running Exchange 2013, make sure you upgrade to Exchange 2019.
- Exchange 2016 is out of mainstream support, so no more Cumulative Updates will be released for Exchange 2016. Security updates for Exchange 2016 CU23 will be released until end of extended support is reached in 2025.
- Security Updates are cumulative, so they include all previous security updates for this specific CU level.
- Security Updates are CU specific, so you cannot mix security updates on various cumulative updates.
- Make sure you deploy these security updates as soon as possible, and make sure your Exchange servers are fully patched.
- Hybrid servers need to be patched as well. If you don’t have any mailboxes left on your Exchange server, you can stop publishing Exchange to the Internet. This will safeguard you from attacks from the Internet.
- As always, test these updates in your test environment before bringing them into production.
Want to learn more about Exchange Monitoring & Reporting?
How do you ensure vital business communication, such as email, stays up and running? How do you demonstrate to senior management that additional resources are needed to meet growing demand or that service levels are being met? ENow makes your job easier by putting everything you need into a single, concise OneLook dashboard, instead of forcing you to use fragmented and complicated tools for monitoring and reporting.
Easy to deploy and intuitive to use, ACCESS YOUR FREE 14-DAY TRIAL and combine all key elements for your Exchange monitoring and reporting to keep your messaging infrastructure up and running like a pro!
- Consolidated dashboard view of messaging environments health
- Automatically verify external Mail flow, OWA, ActiveSync, Outlook Anywhere
- Mail flow queue monitoring
- DAG configuration and failover monitoring
- Microsoft Security Patch verification
- 200+ built-in, customizable reports, including: Mailbox size, Mail Traffic, Quota, Storage, Distribution Lists, Public Folders, Database size, OWA, Outlook version, permissions, SLA and mobile device reports