URGENT: Zero Day Vulnerabilities for Exchange Server
On March 2, 2021 Microsoft released a number of critical security updates for Exchange. These are...
Securing Exchange servers is hard. I mean it can be a giant pain sometimes. There are what, hundreds of millions or maybe billions of lines of code running on your Exchange servers, right? It doesn’t take much for a typo to get through and open a vulnerability that can then be exploited opening the most important and valuable data within your organization to all kinds of bad actors.
When I was starting my career as an IT pro, generally a virus would just crash your PC. Maybe you would get your hard drive deleted, which was terribly inconvenient but not much of a financial threat to organizations. In 2020, if a hacker can gain access to your IT resources, that person is most often doing so with some sort of monetary goal in mind. That goal might be a ransomware attack, it might be to harvest passwords to sell (notice how I did not say “on the dark web”? I assume that is where most passwords are sold but since this is not a commercial for some sketchy identity protection product, I don’t feel the need to include that bit of extra scare tactic).
There are real world vulnerabilities out that that could be affecting your on-premises Exchange servers right now (okay, maybe a little scare is warranted). In this blog post I’m going to talk about those exploits, how to protect your organization from them, and how to keep your organization safe from future exploits.
This blog post for the Microsoft Defender ATP Team highlights a current vulnerability that Microsoft has identified in the wild. The linked blog post was published by Microsoft on 6/24/2020 and talks about a vulnerability that has been patched since 2/11/2020.
Below is a table that lists the versions of Exchange and where to download the security update for this vulnerability. Go ahead and review this table, then fix your Exchange servers. I will wait for you to finish before I continue here.
|Microsoft Exchange Server 2010 Service Pack 3 Update Rollup 30||4536989||Security Update|
|Microsoft Exchange Server 2013 Cumulative Update 23||Security Update|
|Microsoft Exchange Server 2016 Cumulative Update 14||Security Update|
|Microsoft Exchange Server 2016 Cumulative Update 15||4536987|
|Microsoft Exchange Server 2019 Cumulative Update 3|
|Microsoft Exchange Server 2019 Cumulative Update 4||Security Update|
All patched up? Good. Then we can proceed.
I am not going to regurgitate that entire blog post here. If you are reading this blog post I assume you can read that one just as well. It goes into all kinds of details about the current vulnerability, how Microsoft detected it, and what can be done to prevent similar attacks in the future. Spoiler alert, the ATP team at Microsoft wants you to use their product. I think that is a fine and dandy idea, but I’m going to assume that is not in your current budget and talk about some other things you can do to protect your on-premises Exchange environment.
I mean really people.
I end up working on maybe 10-20 different Exchange organizations per year. My unscientific guess is that over 90 percent of them are not patched to current when I first connect. I do see varying patch levels, with some only behind a few months, but I do see a shocking number of Exchange servers that are running years behind on patches. This is wholly unacceptable and should never happen.
I know patching Exchange servers is a pain. I know that no organization ever wants to schedule a weekend outage. I know no admin wants to dedicate a Saturday (maybe a Saturday night) to watching those silly blue line crawl across your screen. I know, I know, I know. I still don’t feel sorry for you. This is your job, so do it.
If your servers are woefully behind on patches, you’ll probably need to worry about more than just failing over databases and running the latest CU. Net updates may be necessary, which can be a complicated multi-step process with lots of opportunity for things to go wrong.
If you read though the MS blog post linked above, the author outlines what Defender ATP alerts would show during each step of the process of this exploit being used. There is no doubt that Defender ATP is a great product that would help secure your environment, but not having it is not an excuse.
It is free to setup a PowerShell script that pulls the members of your highly privileged groups. I did about 12 seconds of research to find THIS script that does just that. I bet you could setup a scheduled task to run that script and email you the results once a week.
Of course, there is a lot more monitoring you can do, but if you don’t have the resources for fancy tools you can still cover the basics.
I know you do Exchange backups every night, but when is that last time you did a real restore?
Say you got the following text message from your CIO at 8:00 AM tomorrow
THIS IS A DRILL – All Exchange servers and Domain controllers are down. You need to do a full Exchange environment restore in a virtual lab. Reply to this text when I can log into OWA and send/receive email (with a test email domain) to my Gmail account. The clock is running. – THIS IS A DRILL
How do you think that would go in your organization? Ever try it? I promise if you do you will learn all kinds of interesting things about your Exchange (and probably Active Directory too) setup.
What is even better is that after that is done, you will have a shiny new test environment for testing patches before you deploy them to your production servers. WIN/WIN!
I can’t cover all the details of Exchange security in a thousand-word blog post. There are entire books written, and whole certifications design to cover just small parts of this topic.
What I can do is remind you to patch, backup/RESTORE, and monitor your environment. There is almost certainly more you can be doing to help protect your serves. Please do what you can.
Watch all aspects of your Exchange environment from a single pane of glass: client access, mailbox, and Edge servers; DAGs and databases; network, DNS, and Active Directory connectivity; Outlook, ActiveSync, and EWS client access.
Nathan is a five time former Microsoft MVP and he specializes in Exchange, Microsoft 365, Active Directory, and cloud identity and security.