With the HAFNIUM experience still fresh in mind, we are a bit worried about other vulnerabilities and security updates for Exchange. The last two weeks there were rumors about new vulnerabilities in Exchange.
On April 13, 2021 Microsoft released new and urgent security updates for Exchange server 2013, 2016 and 2019 that addresses four Remote Code vulnerabilities:
A couple of remarks regarding these security updates:
No exploits have been detected for these vulnerabilities so far. But the bad guys do reverse engineering on these updates so they will find out quickly how to build an exploit. No username/password is required, so it is not that difficult to break into an Exchange server once the exploit is available. Patch your Exchange servers as soon as possible.
You MUST start the Security Update from a command prompt with elevated privileges. If you do not start with elevated privileges, erratic errors will occur after the update has completed. When installing from Windows Update or WSUS you can use the standard deployment.
The Security Updates are specific for a Cumulative Update. You cannot install a Security Update for CU9 on Exchange 2019 CU8 for example.
This Security Update contains all previous Security Updates for this specific Cumulative Update.
Exchange Online is not vulnerable because of its different architecture. Exchange Online uses a different codebase than Exchange on-premises.
Previous mitigation measures from last month regarding the hafnium vulnerabilities do not work against these vulnerabilities.
Use the Exchange Server Health Checker script (available from Microsoft Github) for an inventory of your Exchange environment. The script will return if any servers are behind with Cumulative Updates and Security Updates.
Exchange Security Patch: ENow can help you track your progress
Do you have numerous Exchange servers that need to be patched? Understanding the version and patch you are currently running enables you to access the security risk in your environment and ensure the patch was successfully installed. The Exchange version report simply returns back the information needed to understand what version your servers are running and if the security patch was successful.
PS -don’t forget to reboot your server after applying the patch).
Jaap is a Microsoft MVP for Office Apps and Services. Jaap is an independent consultant, primarily focusing on Exchange server, Skype for Business and Office 365.