How to update AD schema to address CVE-2021-34470 if Exchange is very old or no longer installed

Published Aug 05 2021 12:54 PM 24.9K Views

In this blog post, we want to address two scenarios customers have asked us about the Active Directory schema vulnerability detailed in our July 2021 security update announcement.

Note: This blog post does not apply to customers who are in an Exchange Online hybrid configuration. Hybrid customers should follow the instructions in the July 2021 Security Update announcement to update their Active Directory schema.

Without explicit action by a schema admin in your organization, you might be vulnerable to CVE-2021-34470 if:

  • You ran Exchange Server in the past, but you have since uninstalled all Exchange servers.
  • You still run Exchange Server, but only versions older than Exchange 2013 (namely, Exchange 2003, Exchange 2007 and/or Exchange 2010).

If your organization is in one of these scenarios, we recommend the following to update your Active Directory schema to address the vulnerability in CVE-2021-34470:

  • Download the script Test-CVE-2021-34470.ps1 from GitHub and use it to apply the needed schema update; please note the script requirements on the GitHub page.

Even if your organization has uninstalled all your Exchange servers, the schema extensions made by Exchange to your Active Directory are not removed. If you ran Exchange Server in the past, your Active Directory schema was extended as a part of Exchange Server installation, and any Exchange schema extensions are still present in your organization (unless you completely rebuilt your Active Directory forest). Therefore, you might be vulnerable to CVE-2021-34470, and you should use the script to address this vulnerability.

The script makes only the change needed to address CVE-2021-34470, and no other schema changes are made. You can run the script in Test mode to see if your Active Directory schema is vulnerable to CVE-2021-34470. The script will also provide validation that CVE-2021-34470 is addressed if you have already updated your schema.

The Exchange Team

9 Comments
Occasional Visitor

Hi,
thanks for the script !

It worked well on an english DC (Server 2019),

but not on other DCs with German GUI

On Windows Servers older than 2016, it is not easy to change the Windows language

 

Cannot index into a null array.
At C:\SETUP\CVE-2021-34470_Exchange\Test-CVE-2021-34470.ps1:55 char:92
+ $schemaMaster = (netdom query fsmo | Select-String "Schema master\s+(\S+)").Matches.Groups[ <<<< 1].Value
+ CategoryInfo : InvalidOperation: (1:Int32) [], ParentContainsErrorRecordException
+ FullyQualifiedErrorId : NullArray

 

Thank you anyway

Michel

Occasional Visitor

Hello again,

the script breaks on Line 55 because it uses the absolute String Schema master

On German (de-DE) Windows machines this String should be Schemamaster

The String for other languages can be found by manualy executing NETDOM QUERY FSMO

Once line 55 executes, the script will work better

And perhaps, when using the -ApplyFix parameter, on line 91, Group at the end of the line has to be replaced with Gruppe

Thanks anyway for your great work !

Michel

Occasional Visitor

Hello again,

to let the script work on a DC with Windows 2008 R2, when using the -ApplyFix parameter

on line 91, sls should be replace with Select-String

Michel

Microsoft

@SoPy As with other GitHub scripts, it is best to report issues by opening an issue in GitHub; I will let the team know!

Microsoft

@SoPy All the above issues are fixed in the release that just went up:

 

* Language-agnostic check for Schema Master FSMO role

* sls is expanded to Select-String (our build process is supposed to catch the use of aliases, so not sure how that one slipped through)

* Schema Admins check is taken out entirely. Now we just attempt it, and if it fails, we display a message reminding that you need Schema Admin.

 

Thanks for letting us know!

Regular Visitor

If we have both 2010 and 2016 (with the most recent CU) in the forest are we vulnerable or does the latest CU for 2016 take care of this update?  We recently (last week) introduced the first 2016 Exchange server to our environment but still have a few 2010 servers.  

Microsoft

@Mike Celone As long as you applied CU21 for 2016, then this vulnerability is already fixed.

Senior Member

Hi,

Ran the script and it indeed found and fixed this vulnerability within our AD schema (we got rid of Exchange years ago).  After running repadmin /showreps /verbose I get the following error.  Any thoughts on this one?  Will this self correct after some time?  Thanks

 

CN=Schema,CN=Configuration,DC=our-domain,DC=com
Default-First-Site-Name\SVRDC19 via RPC
DSA object GUID: 542dfa59-2fed-4cb0-8108-fd1466060fa8
Address: 542dfa59-2fed-4cb0-8108-fd1466060fa8._msdcs.our-domain.com
DSA invocationID: dd5caf24-c7f2-4918-9371-6444ec14a7a8
SYNC_ON_STARTUP DO_SCHEDULED_SYNCS WRITEABLE
USNs: 11511636/OU, 11511636/PU
Last attempt @ 2021-08-06 15:08:17 was delayed for a normal reason, result 8542 (0x215e):
Schema information could not be included in the replication request.
Last success @ 2021-08-06 14:52:08.

Regular Visitor

@Cbsykes1 ,

I think you have problems with replication with others DC.

%3CLINGO-SUB%20id%3D%22lingo-sub-2617083%22%20slang%3D%22en-US%22%3EHow%20to%20update%20AD%20schema%20to%20address%20CVE-2021-34470%20if%20Exchange%20is%20very%20old%20or%20no%20longer%20installed%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2617083%22%20slang%3D%22en-US%22%3E%3CP%3EIn%20this%20blog%20post%2C%20we%20want%20to%20address%20two%20scenarios%20customers%20have%20asked%20us%20about%20the%20Active%20Directory%20schema%20vulnerability%20detailed%20in%20our%20%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fexchange-team-blog%2Freleased-july-2021-exchange-server-security-updates%2Fba-p%2F2523421%22%20target%3D%22_blank%22%3EJuly%202021%20security%20update%20announcement%3C%2FA%3E%3CSPAN%3E.%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%20style%3D%22background%3A%20%23F0F0F0%3B%20padding%3A%20.5em%3B%20margin%3A%201em%200%201em%200%3B%22%3E%3CSTRONG%3ENote%3A%3C%2FSTRONG%3E%20This%20blog%20post%20does%20not%20apply%20to%20customers%20who%20are%20in%20an%20Exchange%20Online%20hybrid%20configuration.%20Hybrid%20customers%20should%20follow%20the%20instructions%20in%20the%20%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fexchange-team-blog%2Freleased-july-2021-exchange-server-security-updates%2Fba-p%2F2523421%22%20target%3D%22_blank%22%3EJuly%202021%20Security%20Update%20announcement%3C%2FA%3E%20to%20update%20their%20Active%20Directory%20schema.%3C%2FP%3E%0A%3CP%3EWithout%20explicit%20action%20by%20a%20schema%20admin%20in%20your%20organization%2C%20you%20might%20be%20vulnerable%20to%20%3CA%20href%3D%22https%3A%2F%2Fmsrc.microsoft.com%2Fupdate-guide%2Fvulnerability%2FCVE-2021-34470%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3ECVE-2021-34470%3C%2FA%3E%20if%3A%3C%2FP%3E%0A%3CUL%3E%0A%3CLI%3EYou%20ran%20Exchange%20Server%20in%20the%20past%2C%20but%20you%20have%20since%20uninstalled%20%3CEM%3Eall%3C%2FEM%3E%20Exchange%20servers.%3C%2FLI%3E%0A%3CLI%3EYou%20still%20run%20Exchange%20Server%2C%20but%20only%20versions%20older%20than%20Exchange%202013%20(namely%2C%20Exchange%202003%2C%20Exchange%202007%20and%2For%20Exchange%202010).%3C%2FLI%3E%0A%3C%2FUL%3E%0A%3CP%3EIf%20your%20organization%20is%20in%20one%20of%20these%20scenarios%2C%20we%20recommend%20the%20following%20to%20update%20your%20Active%20Directory%20schema%20to%20address%20the%20vulnerability%20in%20CVE-2021-34470%3A%3C%2FP%3E%0A%3CUL%3E%0A%3CLI%3EDownload%20the%20script%20%3CA%20href%3D%22https%3A%2F%2Fmicrosoft.github.io%2FCSS-Exchange%2FSecurity%2FTest-CVE-2021-34470%2F%22%20target%3D%22_blank%22%20rel%3D%22nofollow%20noopener%20noreferrer%22%3ETest-CVE-2021-34470.ps1%3C%2FA%3E%20from%20GitHub%20and%20use%20it%20to%20apply%20the%20needed%20schema%20update%3B%20please%20note%20the%20script%20requirements%20on%20the%20GitHub%20page.%3C%2FLI%3E%0A%3C%2FUL%3E%0A%3CP%3EEven%20if%20your%20organization%20has%20uninstalled%20all%20your%20Exchange%20servers%2C%20the%20schema%20extensions%20made%20by%20Exchange%20to%20your%20Active%20Directory%20are%20%3CEM%3Enot%3C%2FEM%3E%20removed.%20If%20you%20ran%20Exchange%20Server%20in%20the%20past%2C%20your%20Active%20Directory%20schema%20was%20extended%20as%20a%20part%20of%20Exchange%20Server%20installation%2C%20and%20any%20Exchange%20schema%20extensions%20are%20still%20present%20in%20your%20organization%20(unless%20you%20completely%20rebuilt%20your%20Active%20Directory%20forest).%20Therefore%2C%20you%20might%20be%20vulnerable%20to%20CVE-2021-34470%2C%20and%20you%20should%20use%20the%20script%20to%20address%20this%20vulnerability.%3C%2FP%3E%0A%3CP%3EThe%20script%20makes%20%3CEM%3Eonly%3C%2FEM%3E%20the%20change%20needed%20to%20address%20CVE-2021-34470%2C%20and%20no%20other%20schema%20changes%20are%20made.%20You%20can%20run%20the%20script%20in%20Test%20mode%20to%20see%20if%20your%20Active%20Directory%20schema%20is%20vulnerable%20to%20CVE-2021-34470.%20The%20script%20will%20also%20provide%20validation%20that%20CVE-2021-34470%20is%20addressed%20if%20you%20have%20already%20updated%20your%20schema.%3C%2FP%3E%0A%3CP%3E%3CSPAN%20class%3D%22author%22%3EThe%20Exchange%20Team%3C%2FSPAN%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-TEASER%20id%3D%22lingo-teaser-2617083%22%20slang%3D%22en-US%22%3E%3CP%3EIn%20this%20blog%20post%2C%20we%20want%20to%20address%20how%20to%20update%20Exchange%20schema%20for%26nbsp%3BCVE-2021-34470%20even%20if%20Exchange%20is%20not%20installed%20anymore%2C%20or%20is%20older%20than%20Exchange%202013.%3C%2FP%3E%3C%2FLINGO-TEASER%3E%3CLINGO-LABS%20id%3D%22lingo-labs-2617083%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EExchange%202007%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EExchange%202010%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3ESecurity%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3ETips%20'n%20Tricks%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2619629%22%20slang%3D%22en-US%22%3ERe%3A%20How%20to%20update%20AD%20schema%20to%20address%20CVE-2021-34470%20if%20Exchange%20is%20very%20old%20or%20no%20longer%20installed%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2619629%22%20slang%3D%22en-US%22%3E%3CP%3EHi%2C%3CBR%20%2F%3Ethanks%20for%20the%20script%20!%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EIt%20works%20well%20on%20an%20DC%20(Server%202019)%2C%3C%2FP%3E%3CP%3Ebut%20not%20on%20a%20DC%20(Server%202012%20R2)%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CPRE%20class%3D%22lia-code-sample%20language-powershell%22%3E%3CCODE%3ECannot%20index%20into%20a%20null%20array.%0AAt%20C%3A%5CSETUP%5CCVE-2021-34470_Exchange%5CTest-CVE-2021-34470.ps1%3A55%20char%3A92%0A%2B%20%24schemaMaster%20%3D%20(netdom%20query%20fsmo%20%7C%20Select-String%20%22Schema%20master%5Cs%2B(%5CS%2B)%22).Matches.Groups%5B%20%26lt%3B%26lt%3B%26lt%3B%26lt%3B%201%5D.Value%0A%2B%20CategoryInfo%20%3A%20InvalidOperation%3A%20(1%3AInt32)%20%5B%5D%2C%20ParentContainsErrorRecordException%0A%2B%20FullyQualifiedErrorId%20%3A%20NullArray%3C%2FCODE%3E%3C%2FPRE%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3ENot%20all%20DCs%20in%20this%20world%20are%20running%20Server%202016%20or%202019%3C%2FP%3E%3CP%3ECould%20you%20please%20test%20your%20script%20on%20Server%202012%20R2%2C%20which%20is%20still%20supported%20%3F%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThank%20you%20in%20advance%3C%2FP%3E%3CP%3EMichel%20Py%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2619693%22%20slang%3D%22en-US%22%3ERe%3A%20How%20to%20update%20AD%20schema%20to%20address%20CVE-2021-34470%20if%20Exchange%20is%20very%20old%20or%20no%20longer%20installed%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2619693%22%20slang%3D%22en-US%22%3E%3CP%3EHello%20again%2C%3C%2FP%3E%3CP%3Eon%20another%20DC%20with%20Server%202012%20R2%3C%2FP%3E%3CP%3Ethe%20script%20breaks%20on%20Line%2055%26nbsp%3Bbecause%20it%20uses%20the%20absolute%20String%20%22Schema%20master%22%3C%2FP%3E%3CP%3EOn%20German%20(de-DE)%20Windows%20Machines%20the%20String%20should%20be%20%22Schemamaster%22%3C%2FP%3E%3CP%3EThe%20correct%20String%20for%20other%20languages%20can%20be%20found%20by%20manualy%20executing%20NETDOM%20QUERY%20FSMO%3C%2FP%3E%3CP%3EThanks%20anyway%3C%2FP%3E%3CP%3EMichel%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2619911%22%20slang%3D%22en-US%22%3ERe%3A%20How%20to%20update%20AD%20schema%20to%20address%20CVE-2021-34470%20if%20Exchange%20is%20very%20old%20or%20no%20longer%20installed%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2619911%22%20slang%3D%22en-US%22%3E%3CP%3EHello%20again%2C%3C%2FP%3E%3CP%3Eto%20let%20the%20script%20work%20on%20a%20DC%20with%20Windows%20%3CSTRONG%3E2008%20R2%3C%2FSTRONG%3E%2C%20when%20using%20the%20-ApplyFix%20parameter%3C%2FP%3E%3CP%3Eon%20line%2091%2C%20%3CSTRONG%3Esls%3C%2FSTRONG%3E%20should%20be%20replace%20with%20%3CSTRONG%3ESelect-String%3C%2FSTRONG%3E%3C%2FP%3E%3CP%3EMichel%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2620355%22%20slang%3D%22en-US%22%3ERe%3A%20How%20to%20update%20AD%20schema%20to%20address%20CVE-2021-34470%20if%20Exchange%20is%20very%20old%20or%20no%20longer%20installed%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2620355%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F1122173%22%20target%3D%22_blank%22%3E%40SoPy%3C%2FA%3E%26nbsp%3BAs%20with%20other%20GitHub%20scripts%2C%20it%20is%20best%20to%20report%20issues%20by%20opening%20an%20issue%20in%20GitHub%3B%20I%20will%20let%20the%20team%20know!%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2620433%22%20slang%3D%22en-US%22%3ERe%3A%20How%20to%20update%20AD%20schema%20to%20address%20CVE-2021-34470%20if%20Exchange%20is%20very%20old%20or%20no%20longer%20installed%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2620433%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F1122173%22%20target%3D%22_blank%22%3E%40SoPy%3C%2FA%3E%20All%20the%20above%20issues%20are%20fixed%20in%20the%20release%20that%20just%20went%20up%3A%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E*%20Language-agnostic%20check%20for%20Schema%20Master%20FSMO%20role%3C%2FP%3E%0A%3CP%3E*%20sls%20is%20expanded%20to%20Select-String%20(our%20build%20process%20is%20supposed%20to%20catch%20the%20use%20of%20aliases%2C%20so%20not%20sure%20how%20that%20one%20slipped%20through)%3C%2FP%3E%0A%3CP%3E*%20Schema%20Admins%20check%20is%20taken%20out%20entirely.%20Now%20we%20just%20attempt%20it%2C%20and%20if%20it%20fails%2C%20we%20display%20a%20message%20reminding%20that%20you%20need%20Schema%20Admin.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EThanks%20for%20letting%20us%20know!%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2621075%22%20slang%3D%22en-US%22%3ERe%3A%20How%20to%20update%20AD%20schema%20to%20address%20CVE-2021-34470%20if%20Exchange%20is%20very%20old%20or%20no%20longer%20installed%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2621075%22%20slang%3D%22en-US%22%3E%3CP%3EIf%20we%20have%20both%202010%20and%202016%20(with%20the%20most%20recent%20CU)%20in%20the%20forest%20are%20we%20vulnerable%20or%20does%20the%20latest%20CU%20for%202016%20take%20care%20of%20this%20update%3F%26nbsp%3B%20We%20recently%20(last%20week)%20introduced%20the%20first%202016%20Exchange%20server%20to%20our%20environment%20but%20still%20have%20a%20few%202010%20servers.%26nbsp%3B%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2621372%22%20slang%3D%22en-US%22%3ERe%3A%20How%20to%20update%20AD%20schema%20to%20address%20CVE-2021-34470%20if%20Exchange%20is%20very%20old%20or%20no%20longer%20installed%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2621372%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F123665%22%20target%3D%22_blank%22%3E%40Mike%20Celone%3C%2FA%3E%26nbsp%3BAs%20long%20as%20you%20applied%20CU21%20for%202016%2C%20then%20this%20vulnerability%20is%20already%20fixed.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2621644%22%20slang%3D%22en-US%22%3ERe%3A%20How%20to%20update%20AD%20schema%20to%20address%20CVE-2021-34470%20if%20Exchange%20is%20very%20old%20or%20no%20longer%20installed%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2621644%22%20slang%3D%22en-US%22%3E%3CP%3EHi%2C%3C%2FP%3E%3CP%3ERan%20the%20script%20and%20it%20indeed%20found%20and%20fixed%20this%20vulnerability%20within%20our%20AD%20schema%20(we%20got%20rid%20of%20Exchange%20years%20ago).%26nbsp%3B%20After%20running%20repadmin%20%2Fshowreps%20%2Fverbose%20I%20get%20the%20following%20error.%26nbsp%3B%20Any%20thoughts%20on%20this%20one%3F%26nbsp%3B%20Will%20this%20self%20correct%20after%20some%20time%3F%26nbsp%3B%20Thanks%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3ECN%3DSchema%2CCN%3DConfiguration%2CDC%3Dour-domain%2CDC%3Dcom%3CBR%20%2F%3EDefault-First-Site-Name%5CSVRDC19%20via%20RPC%3CBR%20%2F%3EDSA%20object%20GUID%3A%20542dfa59-2fed-4cb0-8108-fd1466060fa8%3CBR%20%2F%3EAddress%3A%20542dfa59-2fed-4cb0-8108-fd1466060fa8._msdcs.our-domain.com%3CBR%20%2F%3EDSA%20invocationID%3A%20dd5caf24-c7f2-4918-9371-6444ec14a7a8%3CBR%20%2F%3ESYNC_ON_STARTUP%20DO_SCHEDULED_SYNCS%20WRITEABLE%3CBR%20%2F%3EUSNs%3A%2011511636%2FOU%2C%2011511636%2FPU%3CBR%20%2F%3ELast%20attempt%20%40%202021-08-06%2015%3A08%3A17%20was%20delayed%20for%20a%20normal%20reason%2C%20result%208542%20(0x215e)%3A%3CBR%20%2F%3ESchema%20information%20could%20not%20be%20included%20in%20the%20replication%20request.%3CBR%20%2F%3ELast%20success%20%40%202021-08-06%2014%3A52%3A08.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2622987%22%20slang%3D%22en-US%22%3ERe%3A%20How%20to%20update%20AD%20schema%20to%20address%20CVE-2021-34470%20if%20Exchange%20is%20very%20old%20or%20no%20longer%20installed%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2622987%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F800094%22%20target%3D%22_blank%22%3E%40Cbsykes1%3C%2FA%3E%26nbsp%3B%2C%3C%2FP%3E%3CP%3EI%20think%20you%20have%20problems%20with%20replication%20with%20others%20DC.%3C%2FP%3E%3C%2FLINGO-BODY%3E
Co-Authors
Version history
Last update:
‎Aug 05 2021 12:54 PM
Updated by: