Note: this post is getting frequent updates; please keep checking back. Last update: 3/19/2021
Microsoft has released a set of out of band security updates for vulnerabilities for the following versions of Exchange Server:
- Exchange Server 2013
- Exchange Server 2016
- Exchange Server 2019
Security updates are available for the following specific versions of Exchange:
IMPORTANT: If manually installing security updates, you must install .msp from elevated command prompt (see Known Issues in update KB articles)
- Exchange Server 2010 (update requires SP 3 or any SP 3 RU – this is a Defense in Depth update)
- Exchange Server 2013 (update requires CU 23)
- Exchange Server 2016 (update requires CU 19 or CU 18)
- Exchange Server 2019 (update requires CU 8 or CU 7)
- NEW! Security Updates for older Cumulative Updates of Exchange Server (the list is now finalized)
Because we are aware of active exploits of related vulnerabilities in the wild (limited targeted attacks), our recommendation is to install these updates immediately to protect against these attacks.
The vulnerabilities affect Microsoft Exchange Server. Exchange Online is not affected.
For more information, please see the Microsoft Security Response Center (MSRC) blog.
For technical details of these exploits and how to help with detection, please see HAFNIUM Targeting Exchange Servers. There is a scripted version of this check available on GitHub here.
Mitigations, investigation and remediation:
Are there any mitigations I can implement right now?
MSRC team has released a One-Click Microsoft Exchange On-Premises Mitigation Tool (EOMT). The MSTIC blog post called Microsoft Exchange Server Vulnerabilities Mitigations – March 2021 can help understand individual mitigation actions. A stand-alone ExchangeMitigations.ps1 script is also available.
How can I tell if my servers have already been compromised?
Information on Indicators of Compromise (IOCs) – such as what to search for, and how to find evidence of successful exploitation (if it happened), can be found in HAFNIUM Targeting Exchange Servers. There is a scripted version of this available on GitHub here.
More information about investigations
To aid defenders in investigating these attacks where Microsoft security products and tooling may not be deployed, we are releasing a feed of observed indicators of compromise (IOCs). The feed of malware hashes and known malicious file paths observed in related attacks is available in both JSON and CSV formats at the below GitHub links. This information is being shared as TLP:WHITE. CSV format and JSON format are available.
What about remediation?
MSTIC team has (on March 6th) updated their blog post Microsoft Exchange Server Vulnerabilities Mitigations – March 2021 to include information about Microsoft Support Emergency Response Tool (MSERT) having been updated to scan Microsoft Exchange Server. Please download a new copy of MSERT often, as updates are made in the tool regularly! Please also see MSRC Guidance for responders: Investigating and remediating on-premises Exchange Server vulnerabilities.
Installing and troubleshooting updates:
Does installing the March Security Updates require my servers to be up to date?
Today we shipped Security Update (SU) fixes. These fixes can be installed only on servers that are running the specific versions listed previously, which are considered up to date. If your servers are running older Exchange Server cumulative or rollup update, we recommend to install a currently supported RU/CU before you install the security updates. If you are unable to get updated quickly, please see March 2021 Exchange Server Security Updates for older Cumulative Updates of Exchange Server.
How can I get an inventory of the update-level status of my on-premises Exchange servers?
You can use the Exchange Server Health Checker script, which can be downloaded from GitHub (use the latest release). Running this script will tell you if you are behind on your on-premises Exchange Server updates (note that the script does not support Exchange Server 2010).
Which of my servers should I update first?
Exploitation of the security vulnerabilities addressed in these fixes requires HTTPS access over the Internet. Therefore, our recommendation is to install the security updates first on Exchange servers exposed/published to the Internet (e.g., servers publishing Outlook on the web/OWA and ECP) and then update the rest of your environment.
Will the installation of the Security Updates take as long as installing an RU/CU?
Installation of Security Updates does not take as long as installing a CU or RU, but you will need to plan for some downtime.
My organization needs to 'get current' first... we need to apply a Cumulative Update. Any tips for us?
Please see the Upgrade Exchange to the latest Cumulative Update article for best practices when installing Exchange Cumulative Updates. To ensure the easiest upgrade experience (and because in many organizations Exchange and Active Directory roles are separate) you might wish to run /PrepareAD (in the Active Directory site that Exchange is a member of) before running the actual CU Setup. You can use this document as a guide to understand what you might have to do.
Errors during or after Security Update installation! Help!
It is extremely important to read the Known Issues section in the Security Update KB article (here and here depending on the version). If installing the update manually, you must run the update from the elevated command prompt. If you are seeing unexpected behavior, check the article addressing troubleshooting failed installations of Exchange security updates (we will keep updating this article).
Additional Q&A:
Are there any other resources that you can recommend?
Microsoft Defender Security Research Team has published a related blog post called Defending Exchange servers under attack which can help you understand some general practices around detection of malicious activity on your Exchange servers and help improve your security posture.
My organization is in Hybrid with Exchange Online. Do I need to do anything?
While those security updates do not apply to Exchange Online / Office 365, you need to apply those Security Updates to your on-premises Exchange Server, even if it is used for management purposes only. You do not need to re-run HCW if you are using it.
Do we need to install those updates on Management Tools only workstations or servers?
Machines with Management Tools only are not impacted (there are no Exchange services installed) and do not require installation of March SUs. Please note that a 'management server' which many of our Hybrid customers have (which is an Exchange server kept on premises to be able to run Exchange management tasks) is different. For Hybrid, please see the Hybrid question above.
The last Exchange 2016 and Exchange 2019 CU’s were released in December of 2020. Are new CU’s releasing in March 2021?
EDIT: Exchange Server 2016 CU 20 and Exchange Server 2019 CU 9 are now released and those CUs contain the Security Updates mentioned here (along with other fixes). Customers who have installed SUs for older E2016/2019 CUs can simply update to new CUs and will stay protected.
Are Exchange Server 2003 and Exchange Server 2007 vulnerable to March 2021 Exchange server security vulnerabilities?
No. After performing code reviews, we can state that the code involved in the attack chain to begin (CVE-2021-26855) was not in the product before Exchange Server 2013. Exchange 2007 includes the UM service, but it doesn’t include the code that made Exchange Server 2010 vulnerable. Exchange 2003 does not include the UM service.
Major updates to this post:
- 3/19/2021: Added a link to Guidance for responders: Investigating and remediating on-premises Exchange Server vulnerabilities
- 3/17/2021: Removed the mention of CompareExchangeHashes.ps1 script (deprecated). Added a Q&A pair for Management Tools only machines.
- 3/16/2021: Added a note about Exchange 2016 CU 20 and Exchange 2019 CU 9
- 3/15/2021: Added a link to One-Click Microsoft Exchange On-Premises Mitigation Tool (EOMT)
- 3/12/2021: Added a Q&A pair for Exchange 2003/2007
- 3/11/2021: Added a note about final list of SU releases for out of support CUs
- 3/10/2021: Added a note that the MSERT tool should be downloaded often as it gets updated regularly
- 3/9/2021: Added a link to ExchangeMitigations.ps1 mitigation script and CompareExchangeHashes.ps1 file hashes check script.
- 3/8/2021: Added a link about Updates for older Cumulative Updates of Exchange Server and information about a feed of observed indicators of compromise (IOCs).
- 3/8/2021: Added a link to the guide that can help with steps that need to be taken to get current and update
- 3/8/2021: Added a note about elevated CMD prompt installation of .msp files
- 3/7/2021: Reorganized information to make it easier to navigate
- 3/6/2021: Added information about MSERT tool to help with remediation
- 3/6/2021: linked to an article about troubleshooting failed installations of Exchange security updates
- 3/5/2021: linked to the new MSTIC blog post on Vulnerability Mitigations
The Exchange Team
You Had Me at EHLO.