Microsoft has released Security Updates (SUs) for vulnerabilities found in:
Exchange Server 2013
Exchange Server 2016
Exchange Server 2019
SUs are available in a self-extracting auto-elev...
Updated May 08, 2023
Version 22.0
Blog Post
Hello Microsoft,
Thank you for the past 20+ years we loved Exchange and SQL. But the last few months/years? You force us to M365 or worst for both of us to something else.
Update: 16.03.2023
CVE-2023-23397 is an Outlook Bug. If you send an incoming E-Mail for an Appointment with a custom reminder (Sound, Attribute PidLIDReminder) then Outlook.exe (2012/2016) will try to fetch the soundfile via SMB even from an external Share (Not looking at Sites Zones in IE/EDGE/System). If Port 445 is open to that destination the system will send a NTLM Hash outside
your network. As we understood most existing AV-solution for on-premise Exchange currently can't scan that Atrribute PidLIDReminder (Trend, Trellix Security for Exchange). That is why MS Exchange team supplied the script.
Just to clarify things a little bit from a heavy on-premise Exchange IT service company so everyone understands correctly:
PRIO1 is to install the Outlook.exe patch and reboot clients, and also to make sure customers don't have SMB open to external connections (we forgot laptops remotely connected with split VPN).
PRIO2 is FORENSIC, to find out if you have received such emails and hopefully prevent them from being delivered to Outlook.exe. You can also fix the ones that have already arrived. If you are onpremise check if you Exchange AV Solution can search for the attribute (You have all set there and drilled up to search all)
SCRIPT: We only recommend doing this for people who have experience with such commands, for example, from integrating an archive solution or a mobile device management solution (MDM). You may also have to consult with your in-house legal/compliance team because you are granting someone full access to your CEO's and board's emails, as far as I understood (I did not check the script in detail).
[https://microsoft.github.io/CSS-Exchange/Security/CVE-2023-23397/]
You provide an SOP and script that does forensic analysis and searches for IOC:
* Generate an unlimited (full-speed) throttle policy for a group or user (such as an MDM master account or an account that feeds a legal archive solution).
* Generate a rule so that a user has full access to every email, calendar item, etc. stored in the Exchange environment (Application Impersonation / https://learn.microsoft.com/en-us/exchange/client-developer/exchange-web-services/impersonation-and-ews-in-exchange).
* Scan all emails or at least some days backward because Ukraine was attacked in 03/2022 with that, so for one year? Or was that information incorrect?
* There is an audit mode and one that does change things in the email.
Based on past experience and the fact that it changes things?
Does this work with Exchange and OS languages in Germany, Italy, Europe, Asia, and not only on US servers because of some language issues, as we have encountered in the past with such scripts from NT4 to CLOUD (public folder tools, WSUS scripts, etc.)?
For M365 and your side, why is there so much focus in the script on running against Exchange Online mailboxes if your customers were not affected? Or was M365 also affected since that date back in 2022, and you did not know?
Greetings from Switzerland