Blog Post

Exchange Team Blog
6 MIN READ

Released: March 2021 Exchange Server Security Updates

The_Exchange_Team's avatar
The_Exchange_Team
Platinum Contributor
Mar 02, 2021
Note: this post is getting frequent updates; please keep checking back. Last update: 3/19/2021 Microsoft has released a set of out of band security updates for vulnerabilities for the following ver...
Updated Mar 19, 2021
Version 44.0
announcements
Exchange 2010
Exchange 2013
exchange 2016
exchange 2019
on premises
security
Just_an_IT_person's avatar
Just_an_IT_person
Copper Contributor
Mar 16, 2021

Here we did the following...

Ran the Test-ProxyLogin.  All clean.

Ran the Anchor Mailbox check.  All clean.

Ran MSERT.  All clean.

Went through blog after blog and checked for .aspx.  All clean.

 

Upgraded 2016 CU8 to CU19.  No problems.

Applied KB5000871 as elevated command prompt.  All good.

 

Now, we are running the EOMT script.  So far, the following output shows that are servers are...

"not vulnerable: mitigation not needed"

 

It would seem we are okay, or so I thought.  Further review of the EOMTSummary says....

 

Microsoft Safety Scanner and CVE-2021-26855 mitigation summary
Message: Microsoft attempted to mitigate and protect your Exchange server from CVE-2021-26855 and clear malicious files.
For more information on these vulnerabilities please visit https://aka.ms/Exchangevulns. This attempt was successful.
Please review locations and files as soon as possible and take the recommended action.

Microsoft saved several files to your system to "C:\Users\user\AppData\Local\Temp\msert". The only files that should be present in this directory are:
a - msert.exe
b - EOMT.log
c - RewriteModuleInstall.log
d - one of the following IIS URL rewrite MSIs:
rewrite_amd64_[de-DE,en-US,es-ES,fr-FR,it-IT,ja-JP,ko-KR,ru-RU,zh-CN,zh-TW].msi
rewrite_ x86_[de-DE,es-ES,fr-FR,it-IT,ja-JP,ko-KR,ru-RU,zh-CN,zh-TW].msi
rewrite_x64_[de-DE,es-ES,fr-FR,it-IT,ja-JP,ko-KR,ru-RU,zh-CN,zh-TW].msi
rewrite_2.0_rtw_x86.msi
rewrite_2.0_rtw_x64.msi

1 - Confirm the IIS URL Rewrite Module is installed. This module is required for the mitigation of CVE-2021-26855, the module and the configuration (present or not) will not impact this system negatively.
a - If installed, Confirm the following entry exists in the "C:\inetpub\wwwroot\web.config". If this configuration is not present, your server is not mitigated. This may have occurred if the module was not successfully installed with a supported version for your system.
<system.webServer>
<rewrite>
<rules>
<rule name="X-AnonResource-Backend Abort - inbound">
<match url=".*" />
<conditions>
<add input="{{HTTP_COOKIE}}" pattern="(.*)X-AnonResource-Backend(.*)" />
</conditions>
<action type="AbortRequest" />
</rule>
<rule name="X-BEResource Abort - inbound" stopProcessing="true">
<match url=".*" />
<conditions>
<add input="{{HTTP_COOKIE}}" pattern="(.*)X-BEResource=(.+)/(.+)~(.+)" />
</conditions>
<action type="AbortRequest" />
</rule>
</rules>
</rewrite>
</system.webServer>

 

In that directory, only MSERT and the EOMT log are there.

Further examination of C:\inetpub\wwwroot\web.config shows that the entry described in the IIS Re-write is not there, therefore, as explained, If this configuration is not present, your server is not mitigated.

 

So are we mitigated?  Are we not?  What did I miss?  I thought I followed all the guidelines but there is so much information in so many places, I'm looking for some relief.