How to update AD schema to address CVE-2021-34470 if Exchange is very old or no longer installed

Published Aug 05 2021 12:54 PM 26.7K Views

In this blog post, we want to address two scenarios customers have asked us about the Active Directory schema vulnerability detailed in our July 2021 security update announcement.

Note: This blog post does not apply to customers who are in an Exchange Online hybrid configuration. Hybrid customers should follow the instructions in the July 2021 Security Update announcement to update their Active Directory schema.

Without explicit action by a schema admin in your organization, you might be vulnerable to CVE-2021-34470 if:

  • You ran Exchange Server in the past, but you have since uninstalled all Exchange servers.
  • You still run Exchange Server, but only versions older than Exchange 2013 (namely, Exchange 2003, Exchange 2007 and/or Exchange 2010).

If your organization is in one of these scenarios, we recommend the following to update your Active Directory schema to address the vulnerability in CVE-2021-34470:

  • Download the script Test-CVE-2021-34470.ps1 from GitHub and use it to apply the needed schema update; please note the script requirements on the GitHub page.

Even if your organization has uninstalled all your Exchange servers, the schema extensions made by Exchange to your Active Directory are not removed. If you ran Exchange Server in the past, your Active Directory schema was extended as a part of Exchange Server installation, and any Exchange schema extensions are still present in your organization (unless you completely rebuilt your Active Directory forest). Therefore, you might be vulnerable to CVE-2021-34470, and you should use the script to address this vulnerability.

The script makes only the change needed to address CVE-2021-34470, and no other schema changes are made. You can run the script in Test mode to see if your Active Directory schema is vulnerable to CVE-2021-34470. The script will also provide validation that CVE-2021-34470 is addressed if you have already updated your schema.

The Exchange Team

9 Comments
%3CLINGO-SUB%20id%3D%22lingo-sub-2617083%22%20slang%3D%22en-US%22%3EHow%20to%20update%20AD%20schema%20to%20address%20CVE-2021-34470%20if%20Exchange%20is%20very%20old%20or%20no%20longer%20installed%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2617083%22%20slang%3D%22en-US%22%3E%3CP%3EIn%20this%20blog%20post%2C%20we%20want%20to%20address%20two%20scenarios%20customers%20have%20asked%20us%20about%20the%20Active%20Directory%20schema%20vulnerability%20detailed%20in%20our%20%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fexchange-team-blog%2Freleased-july-2021-exchange-server-security-updates%2Fba-p%2F2523421%22%20target%3D%22_blank%22%3EJuly%202021%20security%20update%20announcement%3C%2FA%3E%3CSPAN%3E.%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%20style%3D%22background%3A%20%23F0F0F0%3B%20padding%3A%20.5em%3B%20margin%3A%201em%200%201em%200%3B%22%3E%3CSTRONG%3ENote%3A%3C%2FSTRONG%3E%20This%20blog%20post%20does%20not%20apply%20to%20customers%20who%20are%20in%20an%20Exchange%20Online%20hybrid%20configuration.%20Hybrid%20customers%20should%20follow%20the%20instructions%20in%20the%20%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fexchange-team-blog%2Freleased-july-2021-exchange-server-security-updates%2Fba-p%2F2523421%22%20target%3D%22_blank%22%3EJuly%202021%20Security%20Update%20announcement%3C%2FA%3E%20to%20update%20their%20Active%20Directory%20schema.%3C%2FP%3E%0A%3CP%3EWithout%20explicit%20action%20by%20a%20schema%20admin%20in%20your%20organization%2C%20you%20might%20be%20vulnerable%20to%20%3CA%20href%3D%22https%3A%2F%2Fmsrc.microsoft.com%2Fupdate-guide%2Fvulnerability%2FCVE-2021-34470%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3ECVE-2021-34470%3C%2FA%3E%20if%3A%3C%2FP%3E%0A%3CUL%3E%0A%3CLI%3EYou%20ran%20Exchange%20Server%20in%20the%20past%2C%20but%20you%20have%20since%20uninstalled%20%3CEM%3Eall%3C%2FEM%3E%20Exchange%20servers.%3C%2FLI%3E%0A%3CLI%3EYou%20still%20run%20Exchange%20Server%2C%20but%20only%20versions%20older%20than%20Exchange%202013%20(namely%2C%20Exchange%202003%2C%20Exchange%202007%20and%2For%20Exchange%202010).%3C%2FLI%3E%0A%3C%2FUL%3E%0A%3CP%3EIf%20your%20organization%20is%20in%20one%20of%20these%20scenarios%2C%20we%20recommend%20the%20following%20to%20update%20your%20Active%20Directory%20schema%20to%20address%20the%20vulnerability%20in%20CVE-2021-34470%3A%3C%2FP%3E%0A%3CUL%3E%0A%3CLI%3EDownload%20the%20script%20%3CA%20href%3D%22https%3A%2F%2Fmicrosoft.github.io%2FCSS-Exchange%2FSecurity%2FTest-CVE-2021-34470%2F%22%20target%3D%22_blank%22%20rel%3D%22nofollow%20noopener%20noreferrer%22%3ETest-CVE-2021-34470.ps1%3C%2FA%3E%20from%20GitHub%20and%20use%20it%20to%20apply%20the%20needed%20schema%20update%3B%20please%20note%20the%20script%20requirements%20on%20the%20GitHub%20page.%3C%2FLI%3E%0A%3C%2FUL%3E%0A%3CP%3EEven%20if%20your%20organization%20has%20uninstalled%20all%20your%20Exchange%20servers%2C%20the%20schema%20extensions%20made%20by%20Exchange%20to%20your%20Active%20Directory%20are%20%3CEM%3Enot%3C%2FEM%3E%20removed.%20If%20you%20ran%20Exchange%20Server%20in%20the%20past%2C%20your%20Active%20Directory%20schema%20was%20extended%20as%20a%20part%20of%20Exchange%20Server%20installation%2C%20and%20any%20Exchange%20schema%20extensions%20are%20still%20present%20in%20your%20organization%20(unless%20you%20completely%20rebuilt%20your%20Active%20Directory%20forest).%20Therefore%2C%20you%20might%20be%20vulnerable%20to%20CVE-2021-34470%2C%20and%20you%20should%20use%20the%20script%20to%20address%20this%20vulnerability.%3C%2FP%3E%0A%3CP%3EThe%20script%20makes%20%3CEM%3Eonly%3C%2FEM%3E%20the%20change%20needed%20to%20address%20CVE-2021-34470%2C%20and%20no%20other%20schema%20changes%20are%20made.%20You%20can%20run%20the%20script%20in%20Test%20mode%20to%20see%20if%20your%20Active%20Directory%20schema%20is%20vulnerable%20to%20CVE-2021-34470.%20The%20script%20will%20also%20provide%20validation%20that%20CVE-2021-34470%20is%20addressed%20if%20you%20have%20already%20updated%20your%20schema.%3C%2FP%3E%0A%3CP%3E%3CSPAN%20class%3D%22author%22%3EThe%20Exchange%20Team%3C%2FSPAN%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-TEASER%20id%3D%22lingo-teaser-2617083%22%20slang%3D%22en-US%22%3E%3CP%3EIn%20this%20blog%20post%2C%20we%20want%20to%20address%20how%20to%20update%20Exchange%20schema%20for%26nbsp%3BCVE-2021-34470%20even%20if%20Exchange%20is%20not%20installed%20anymore%2C%20or%20is%20older%20than%20Exchange%202013.%3C%2FP%3E%3C%2FLINGO-TEASER%3E%3CLINGO-LABS%20id%3D%22lingo-labs-2617083%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EExchange%202007%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EExchange%202010%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3ESecurity%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3ETips%20'n%20Tricks%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2619629%22%20slang%3D%22en-US%22%3ERe%3A%20How%20to%20update%20AD%20schema%20to%20address%20CVE-2021-34470%20if%20Exchange%20is%20very%20old%20or%20no%20longer%20installed%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2619629%22%20slang%3D%22en-US%22%3E%3CP%3EHi%2C%3CBR%20%2F%3Ethanks%20for%20the%20script%20!%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EIt%20works%20well%20on%20an%20DC%20(Server%202019)%2C%3C%2FP%3E%3CP%3Ebut%20not%20on%20a%20DC%20(Server%202012%20R2)%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CPRE%20class%3D%22lia-code-sample%20language-powershell%22%3E%3CCODE%3ECannot%20index%20into%20a%20null%20array.%0AAt%20C%3A%5CSETUP%5CCVE-2021-34470_Exchange%5CTest-CVE-2021-34470.ps1%3A55%20char%3A92%0A%2B%20%24schemaMaster%20%3D%20(netdom%20query%20fsmo%20%7C%20Select-String%20%22Schema%20master%5Cs%2B(%5CS%2B)%22).Matches.Groups%5B%20%26lt%3B%26lt%3B%26lt%3B%26lt%3B%201%5D.Value%0A%2B%20CategoryInfo%20%3A%20InvalidOperation%3A%20(1%3AInt32)%20%5B%5D%2C%20ParentContainsErrorRecordException%0A%2B%20FullyQualifiedErrorId%20%3A%20NullArray%3C%2FCODE%3E%3C%2FPRE%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3ENot%20all%20DCs%20in%20this%20world%20are%20running%20Server%202016%20or%202019%3C%2FP%3E%3CP%3ECould%20you%20please%20test%20your%20script%20on%20Server%202012%20R2%2C%20which%20is%20still%20supported%20%3F%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThank%20you%20in%20advance%3C%2FP%3E%3CP%3EMichel%20Py%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2619693%22%20slang%3D%22en-US%22%3ERe%3A%20How%20to%20update%20AD%20schema%20to%20address%20CVE-2021-34470%20if%20Exchange%20is%20very%20old%20or%20no%20longer%20installed%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2619693%22%20slang%3D%22en-US%22%3E%3CP%3EHello%20again%2C%3C%2FP%3E%3CP%3Eon%20another%20DC%20with%20Server%202012%20R2%3C%2FP%3E%3CP%3Ethe%20script%20breaks%20on%20Line%2055%26nbsp%3Bbecause%20it%20uses%20the%20absolute%20String%20%22Schema%20master%22%3C%2FP%3E%3CP%3EOn%20German%20(de-DE)%20Windows%20Machines%20the%20String%20should%20be%20%22Schemamaster%22%3C%2FP%3E%3CP%3EThe%20correct%20String%20for%20other%20languages%20can%20be%20found%20by%20manualy%20executing%20NETDOM%20QUERY%20FSMO%3C%2FP%3E%3CP%3EThanks%20anyway%3C%2FP%3E%3CP%3EMichel%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2619911%22%20slang%3D%22en-US%22%3ERe%3A%20How%20to%20update%20AD%20schema%20to%20address%20CVE-2021-34470%20if%20Exchange%20is%20very%20old%20or%20no%20longer%20installed%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2619911%22%20slang%3D%22en-US%22%3E%3CP%3EHello%20again%2C%3C%2FP%3E%3CP%3Eto%20let%20the%20script%20work%20on%20a%20DC%20with%20Windows%20%3CSTRONG%3E2008%20R2%3C%2FSTRONG%3E%2C%20when%20using%20the%20-ApplyFix%20parameter%3C%2FP%3E%3CP%3Eon%20line%2091%2C%20%3CSTRONG%3Esls%3C%2FSTRONG%3E%20should%20be%20replace%20with%20%3CSTRONG%3ESelect-String%3C%2FSTRONG%3E%3C%2FP%3E%3CP%3EMichel%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2620355%22%20slang%3D%22en-US%22%3ERe%3A%20How%20to%20update%20AD%20schema%20to%20address%20CVE-2021-34470%20if%20Exchange%20is%20very%20old%20or%20no%20longer%20installed%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2620355%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F1122173%22%20target%3D%22_blank%22%3E%40SoPy%3C%2FA%3E%26nbsp%3BAs%20with%20other%20GitHub%20scripts%2C%20it%20is%20best%20to%20report%20issues%20by%20opening%20an%20issue%20in%20GitHub%3B%20I%20will%20let%20the%20team%20know!%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2620433%22%20slang%3D%22en-US%22%3ERe%3A%20How%20to%20update%20AD%20schema%20to%20address%20CVE-2021-34470%20if%20Exchange%20is%20very%20old%20or%20no%20longer%20installed%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2620433%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F1122173%22%20target%3D%22_blank%22%3E%40SoPy%3C%2FA%3E%20All%20the%20above%20issues%20are%20fixed%20in%20the%20release%20that%20just%20went%20up%3A%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E*%20Language-agnostic%20check%20for%20Schema%20Master%20FSMO%20role%3C%2FP%3E%0A%3CP%3E*%20sls%20is%20expanded%20to%20Select-String%20(our%20build%20process%20is%20supposed%20to%20catch%20the%20use%20of%20aliases%2C%20so%20not%20sure%20how%20that%20one%20slipped%20through)%3C%2FP%3E%0A%3CP%3E*%20Schema%20Admins%20check%20is%20taken%20out%20entirely.%20Now%20we%20just%20attempt%20it%2C%20and%20if%20it%20fails%2C%20we%20display%20a%20message%20reminding%20that%20you%20need%20Schema%20Admin.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EThanks%20for%20letting%20us%20know!%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2621075%22%20slang%3D%22en-US%22%3ERe%3A%20How%20to%20update%20AD%20schema%20to%20address%20CVE-2021-34470%20if%20Exchange%20is%20very%20old%20or%20no%20longer%20installed%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2621075%22%20slang%3D%22en-US%22%3E%3CP%3EIf%20we%20have%20both%202010%20and%202016%20(with%20the%20most%20recent%20CU)%20in%20the%20forest%20are%20we%20vulnerable%20or%20does%20the%20latest%20CU%20for%202016%20take%20care%20of%20this%20update%3F%26nbsp%3B%20We%20recently%20(last%20week)%20introduced%20the%20first%202016%20Exchange%20server%20to%20our%20environment%20but%20still%20have%20a%20few%202010%20servers.%26nbsp%3B%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2621372%22%20slang%3D%22en-US%22%3ERe%3A%20How%20to%20update%20AD%20schema%20to%20address%20CVE-2021-34470%20if%20Exchange%20is%20very%20old%20or%20no%20longer%20installed%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2621372%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F123665%22%20target%3D%22_blank%22%3E%40Mike%20Celone%3C%2FA%3E%26nbsp%3BAs%20long%20as%20you%20applied%20CU21%20for%202016%2C%20then%20this%20vulnerability%20is%20already%20fixed.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2621644%22%20slang%3D%22en-US%22%3ERe%3A%20How%20to%20update%20AD%20schema%20to%20address%20CVE-2021-34470%20if%20Exchange%20is%20very%20old%20or%20no%20longer%20installed%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2621644%22%20slang%3D%22en-US%22%3E%3CP%3EHi%2C%3C%2FP%3E%3CP%3ERan%20the%20script%20and%20it%20indeed%20found%20and%20fixed%20this%20vulnerability%20within%20our%20AD%20schema%20(we%20got%20rid%20of%20Exchange%20years%20ago).%26nbsp%3B%20After%20running%20repadmin%20%2Fshowreps%20%2Fverbose%20I%20get%20the%20following%20error.%26nbsp%3B%20Any%20thoughts%20on%20this%20one%3F%26nbsp%3B%20Will%20this%20self%20correct%20after%20some%20time%3F%26nbsp%3B%20Thanks%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3ECN%3DSchema%2CCN%3DConfiguration%2CDC%3Dour-domain%2CDC%3Dcom%3CBR%20%2F%3EDefault-First-Site-Name%5CSVRDC19%20via%20RPC%3CBR%20%2F%3EDSA%20object%20GUID%3A%20542dfa59-2fed-4cb0-8108-fd1466060fa8%3CBR%20%2F%3EAddress%3A%20542dfa59-2fed-4cb0-8108-fd1466060fa8._msdcs.our-domain.com%3CBR%20%2F%3EDSA%20invocationID%3A%20dd5caf24-c7f2-4918-9371-6444ec14a7a8%3CBR%20%2F%3ESYNC_ON_STARTUP%20DO_SCHEDULED_SYNCS%20WRITEABLE%3CBR%20%2F%3EUSNs%3A%2011511636%2FOU%2C%2011511636%2FPU%3CBR%20%2F%3ELast%20attempt%20%40%202021-08-06%2015%3A08%3A17%20was%20delayed%20for%20a%20normal%20reason%2C%20result%208542%20(0x215e)%3A%3CBR%20%2F%3ESchema%20information%20could%20not%20be%20included%20in%20the%20replication%20request.%3CBR%20%2F%3ELast%20success%20%40%202021-08-06%2014%3A52%3A08.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2622987%22%20slang%3D%22en-US%22%3ERe%3A%20How%20to%20update%20AD%20schema%20to%20address%20CVE-2021-34470%20if%20Exchange%20is%20very%20old%20or%20no%20longer%20installed%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2622987%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F800094%22%20target%3D%22_blank%22%3E%40Cbsykes1%3C%2FA%3E%26nbsp%3B%2C%3C%2FP%3E%3CP%3EI%20think%20you%20have%20problems%20with%20replication%20with%20others%20DC.%3C%2FP%3E%3C%2FLINGO-BODY%3E
Co-Authors
Version history
Last update:
‎Aug 05 2021 12:54 PM
Updated by: