New Security Updates for Exchange Server 2013, 2016 and 2019

Reference: Microsoft Security Response Center

This week, Microsoft released multiple out of band security patches for Microsoft Exchange Server to address vulnerabilities that have been used in limited targeted attacks. Exchange Online is not affected.  Due to the critical nature of these vulnerabilities, Microsoft recommends that clients apply the updates to affected systems immediately to protect against these exploits and to prevent future abuse across the ecosystem.

The versions impacted are:

• Microsoft Exchange Server 2013
• Microsoft Exchange Server 2016
• Microsoft Exchange Server 2019

Microsoft Exchange Server 2010 is being updated for Defense in Depth purposes.

These vulnerabilities are used as part of an attack chain. The initial attack requires the ability to make an untrusted connection to Exchange server port 443. This can be protected against by restricting untrusted connections, or by setting up a VPN to separate the Exchange server from external access. Using this mitigation will only protect against the initial portion of the attack; other portions of the chain can be triggered if an attacker already has access or can convince an administrator to run a malicious file.

Microsoft recommends prioritizing installing updates on Exchange Servers that are externally facing. All affected Exchange Servers should ultimately be updated.

Security updates are available for the following specific versions of Exchange:

• Exchange Server 2010 (update requires Service Pack 3 – this is a Defense in Depth update)
• Exchange Server 2013 (update requires CU 23)
• Exchange Server 2016 (update requires CU 19 or CU 18)
• Exchange Server 2019 (update requires CU 8 or CU 7)

Helpful Resources

• Hafnium Targeting Exchange
• Microsoft on the Issues
• Exchange Team Blog 
• CVE-2021-26855
• CVE-2021-26857
• CVE-2021-26858
• CVE-2021-27065

• Not related to known attacks
  • CVE-2021-26412
  • CVE-2021-26854
  • CVE-2021-27078

FAQs

Does installing the March Security Updates require my servers to be up to date?

• Microsoft shipped Security Update (SU) fixes. These fixes can be installed only on servers that are running the specific versions listed previously, which are considered up to date. If your servers are running older Exchange Server cumulative or rollup update, you will need to install a currently supported RU/CU before you can install the security updates.

How can I get an inventory of the update-level status of my on-premises Exchange servers?

• You can use the Exchange Server Health Checker script, which can be downloaded from GitHub (use the latest release). Running this script will tell you if you are behind on your on-premises Exchange Server updates (note that the script does not support Exchange Server 2010).

What is the order of installation for the Security Updates mentioned here?

• Exploitation of the security vulnerabilities addressed in these fixes requires HTTPS access over the Internet. Therefore, our recommendation is to install the security updates first on Exchange servers exposed/published to the Internet (e.g., servers publishing Outlook on the web/OWA and ECP) and then update the rest of your environment.

Will the installation of the Security Updates take as long as installing an RU/CU?

• Installation of Security Updates does not take as long as installing a CU or RU, but you will need to plan for some downtime.

The last Exchange 2016 and Exchange 2019 CU’s were released in December of 2020. Are new CU’s releasing in March 2021?

• Microsoft is on schedule to release Exchange Server 2016 CU 20 and Exchange Server 2019 CU 9 in March 2021 and those CUs will contain the Security Updates mentioned here (along with other fixes). Our strong recommendation is to install security updates immediately.

How can I tell if my servers have already been compromised?

• Information on Indicators of Compromise (IOCs) – such as what to search for, and how to find evidence of successful exploitation (if it happened), can be found in HAFNIUM Targeting Exchange Servers.

Are there any other resources that you can recommend?

• Microsoft Defender Security Research Team has published a related blog post called Defending Exchange servers under attack which can help you understand some general practices around detection of malicious activity on your Exchange servers and help improve your security posture.

My organization is in Hybrid with Exchange Online. Do I need to do anything?

• While those security updates do not apply to Exchange Online / Office 365, you need to apply those Security Updates to your on-premises Exchange Server, even if it is used for management purposes only.

Source: Microsoft Security Response Center
https://msrc-blog.microsoft.com/2021/03/02/multiple-security-updates-released-for-exchange-server/