Released: August 2023 Exchange Server Security Updates
Published Aug 08 2023 05:02 PM 202K Views

Update 10/10/2023: Our recommendation to address CVE-2023-21709 is now changed; please see the changes below.

Update 9/12/2023: As a part of the September 2023 "Patch Tuesday" we have released a few more Exchange Server CVEs. They were all addressed in our August 2023 SU (more information here). If you did not install August SUs yet, please do so now.

Microsoft has released Security Updates (SUs) for vulnerabilities found in:

  • Exchange Server 2019
  • Exchange Server 2016

SUs are available for the following specific versions of Exchange Server (download links are updated for re-released SUs):

  • Exchange Server 2019 CU12 and CU13
  • Exchange Server 2016 CU23

The August 2023 SUs address vulnerabilities responsibly reported to Microsoft by security partners and found through Microsoft’s internal processes. Although we are not aware of any active exploits in the wild, our recommendation is to immediately install these updates to protect your environment.

These vulnerabilities affect Exchange Server. Exchange Online customers are already protected from the vulnerabilities addressed by these SUs and do not need to take any action other than updating any Exchange servers or Exchange Management tools workstations in their environment.

More details about specific CVEs can be found in the Security Update Guide (filter on Exchange Server under Product Family).

Steps needed to address CVE-2023-21709

To address CVE-2023-21709, our updated recommendation is for administrators to install October 2023 Windows Security Updates on all of their Exchange Servers. Please see October 2023 Security Update announcement for more information.

Support for change of default encryption algorithm in Microsoft Purview Information Protection

This section applies only to our customers who use Exchange Server and either Azure or AD Rights Management Service (RMS). If you do not know what that is, Exchange Online CBC encryption changes should not apply to you:

As announced in the Encryption algorithm changes in Microsoft Purview Information Protection blog post, Exchange Server August 2023 SUs contain updates that enable customers who use Exchange Server on-premises to continue decrypting content protected by Purview sensitivity labels or Active Directory Rights Management Services. Please review that blog post for details and timelines and read AES256-CBC support for Microsoft 365 documentation.

If your organization is impacted by this change, after installing the August SU on your Exchange servers, see this KB article. Please note – this step is not needed unless your on-premises servers require support for AES256-CBC.

Update installation

The following update paths are available:

Aug2023SUpaths01.jpg

Known issues with this release

  • Customers impacted by the upcoming Microsoft 365 AES256-CBC encryption change need to perform a manual action to enable new encryption algorithm after August 2023 SU is installed. Please see this KB article. We will remove the requirement for manual action in a future update.

Issues resolved in this release

FAQs

Our organization is in Hybrid mode with Exchange Online. Do we need to do anything?
Exchange Online is already protected, but this SU needs to be installed on your Exchange servers, even if they are used only for management purposes. If you change the auth certificate after installing an SU, you should re-run the Hybrid Configuration Wizard.

The last SU we installed is a few months old. Do we need to install all SUs in order to install the latest one?
SUs are cumulative. If you are running a CU supported by the SU, you do not need to install all SUs in sequential order; simply install the latest SU. Please see this blog post for more information.

Do we need to install SUs on all Exchange Servers within our organization? What about ‘Management Tools only’ machines?
Our recommendation is to install SUs on all Exchange Servers and all servers and workstations running the Exchange Management Tools to ensure compatibility between management tools clients and servers. If you are trying to update the Exchange Management Tools in the environment with no running Exchange servers, please see this.

We still use Exchange Server 2013 on-premises to host mailboxes. Can we have an update for Exchange Server 2013 to support the new Microsoft 365 AES256-CBC encryption standard?
Exchange Server 2013 is out of support and will not receive any further security updates. We do not perform any vulnerability testing against this version of Exchange anymore. Exchange Server 2013 is likely vulnerable to any vulnerabilities disclosed after April 2023 and you should migrate to Exchange Server 2019 or Exchange Online as soon as possible and decommission Exchange Server 2013 from your environment.

Documentation may not be fully available at the time this post is published.

Blog post updates:

  • 9/12: Changed the banner to mention that Aug 2023 SUs are also the resolution to Exchange Server CVEs released in September 2023.
  • 8/16: Added a known issue for: Users in account forest can’t change expired password in OWA in multi-forest Exchange deployments after installing August 2023 SU
  • 8/15: Updated the blog post to reflect that Aug 2023 SUs were re-released on 8/15/2023
  • 8/15: Added a link to the process of installing updates on management tools machine when there are no Exchange servers running
  • 8/15: Temporarily removed all download links
  • 8/9: Referenced Exchange Server 2019 and 2016 August 2023 security update installation fails on non-English operatin... in Known Issues section
  • 8/9: Added a command that will help you reset the state of your services if setup has already failed
  • 8/9: Added a known issue about non-English servers Setup issues and temporary removal of August SUs from Microsoft / Windows update

The Exchange Server Team

213 Comments
Steel Contributor

@Nino_Bilic thanks! I was just concerned because I read comments for admins who just ran the script and had issues with outlook speed/freezes and mobile devices access. 

 

I will execute the script tomorrow and provide update here if I have any issues. I will hold off installing the Aug SU. 

 

Thanks!

Copper Contributor

I cannot access the download links provided in the article (2019CU13, 2019CU12 and 2016CU23) anymore since a couple of minutes. I get

We're sorry, this download is no longer available.

Copper Contributor

I know there are issues with the non-english version but why is the update (CU 13 SU2) removed?

https://www.microsoft.com/en-us/download/details.aspx?id=105524

Microsoft

@Pascal_de_Vries and @noobtoob7 We will have updates on this soon. Stay tuned...

Brass Contributor

@Nino_Bilic if we've already installed the SU, will we need to reinstall the updated SU?

Microsoft

@JoshC189 Without knowing exactly the status of original installation and how you got to install it, I can't answer this question. For most of our customers, the answer will be "no". Details to follow.

Copper Contributor

We can't seem to renew the certificate after upgrading to the latest version.

 

This command:
Enable-ExchangeCertificate ABCDEABCDEABCDEABCDEABCDEABCDEABCDEABCDE -Services SMTP -Server exchange001

 

Gives this error:
The Exchange Certificate operation has failed with an exception on server exchange001. The error message is: Unknown error (0xe0434352)

 

Details:

Running on Exchange 2016 CU23 (15.01.2507.031) on Windows Server 2016

 

If you have any idea, we would highly appreciate, the certificate is expiring in a very short time!

Brass Contributor

Thank you @Nino_Bilic 

 

Will wait for more information in the future.

Copper Contributor

@GGGreg looking at the command you're not renewing it, instead binding it to a service.. 

I use this command to renew a exchange certificate.

Get-ExchangeCertificate -Thumbprint "thumbprint of old certificate" | New-ExchangeCertificate -Force -PrivateKeyExportable $false

 

Copper Contributor

Hey @noobtoob7 thank you for your message, indeed it was imported successfully, but won't apply to internal transport. The Thumbprint is valid and it's the only way we know to apply it. Obviously, we did the CSR, generate the certificate, created a PFX and imported it in the Personal store. It is applied to IIS, but not to internal transport.

Copper Contributor

@GGGreg stupid question but did you also imported the certificate in exchange?

Eac > servers > certificates

Copper Contributor

I started installing this on the secondary server in my DAG this afternoon, then stumbled across this thread and saw that the download links were removed. For those who were able to get this installed, did you notice a delayed reboot? I am going on over an hour stuck on "Getting Windows Ready, Don't Turn off your Computer"

Copper Contributor

Hi vollmas-firelands

on most of the servers this was a normal patch/reboot. on a handful it did take over 90 minute to 2 hours to complete and seemed to be stuck on the "Getting Windows Ready, Don't Turn off your Computer" but they did then complete with no issues.

Regards

Copper Contributor

Thanks @SteveRubin! Mine finally finished installing and rebooted. Took a little over an hour and a half in total for the one server.

Copper Contributor

Now I have to decide whether to install on the other server in my DAG or wait until this is cleared up.

Copper Contributor

@noobtoob7 Confirmed, the certificate is present in Eac > servers > certificates on all servers.

Copper Contributor

@ Nino Bilic @The_Exchange_Team , are there any new findings in this regard?

Brass Contributor

I'm seeing a lot of commentary about what I'm seeing as well that the SU for english servers is no longer available as well, no links and download unavailable on the few link that can be found. Started it appears yesterday? Thank you

Copper Contributor

Is there any update on this? I have to prove the server is fully patched to keep our cyber insurance. 

 

Also please tell me it won't break password changes in OWA like another user mentioned as we have a lot of remote workers that rely on this.

Microsoft

@Pascal_de_Vries @noobtoob7 @JoshC189 @vollmas-firelands @Donovon Dildine @celeron @mhincapie @Tom B 

We have now re-released the updated SU packages. Read more here. Download links in this post have been updated. KBs are still on the way (soon).

Copper Contributor

@Nino_Bilic is there a possibility the renewal of certificate no longer works due to this latest update?

Copper Contributor

Hello Exchange team, @Nino_Bilic ,

Thank you for sharing the updated SU for August.

Has there been any change regarding the severity rating of the SU and script?

Is it still on status "Important" rather then critical?

 

Copper Contributor

Hello,

Can those who have not installed su1 for exchange 2016 can directly install su2? Or should su1 be loaded first, then su2?

Copper Contributor

@Nino Bilic Thanks for the update.  Do you have an eta when this will filter down to WSUS?

Copper Contributor

After installing KB5030524 Aug SUv2 on a DE server, the permission for the "network service" in the registry is no longer set.

Is that okay@Nino_Bilic 

 

16-08-2023_11-40-54.png

 

Copper Contributor

@Nino_BilicThanks for publishing the updated versions of the patch. I will try tonight on a DE Exchange 2016 installation.

Microsoft

@pagrill Yes!

Microsoft

@IT_MAN2265 No need to go via SUv1; in fact we pulled those downloads...

@PaulyHaley I am not totally sure but "soon" (it is on the way)

Microsoft

@Lennart-Live1220 No change in severity for that CVE

 

Microsoft

@GGGreg I just asked someone on the team to try this and cert renewal did work as expected in their environment updated to Aug SU:

Get-ExchangeCertificate -Thumbprint "thumbprint of old certificate" | New-ExchangeCertificate -Force -PrivateKeyExportable $true

Copper Contributor

@GGGreg We could not get any of the exchange PS cmdlets to work when we tried to renew our certificates but specifically around exporting/importing the certificate to put on the other servers (-PrivateKeyExportable $true) just did not work and we tried different variations of the documented proceedure.  We ended up using the Digicert tool for the whole process which did work.  I hope your cert provider has a similar tool you can try.

Microsoft

@Thai_Lam and @celeron After your report, we have investigated this OWA password change thing and have now published a KB article on this. It is now a "known issue" for this SU. But note: this applies ONLY to environments that use multi-forest topologies. We do not find any issues if Exchange organization does not span multiple forests.

Users in account forest can’t change expired password in OWA in multi-forest Exchange deployments af...

We are going to be working on a fix for this (it is still under investigation) but this will not be a re-release of the SU, so the goal is that a future update would address this.

 
Copper Contributor

@Nino_Bilic  Thanks for the feedback.

I ran the update in our lab environment and it went smoothly, no issues what so ever.  If I come across a issue, which I doubt, in production I will let you guys know.

Copper Contributor

For anyone else who is still using WSUS, the SUv2 is now available.

Copper Contributor

We had the first round of updates to SUv2 Wednesday night. Everything went swimmingly well. Updates were applied automatically overnight. Remaining servers will patch tonight and Friday night.

Steel Contributor

Hi @Nino_Bilic , 


I ran healthchecker and it flagged the following: 

 

AES256-CBC Protected Content Support: False
This could lead to scenarios where Exchange Server is no longer able to decrypt protected messages

We have 1 on prem Exchange 2019 CU 12 Jun SU hosting a total of 75 mailboxes. We are not on Sharepoint or Exchange online. We use Office 365 Outlook client. Which option should I do? or should I just ignore the warning?

https://learn.microsoft.com/en-us/purview/technical-reference-details-about-encryption#aes256-cbc-su...

Please advise.

Thank you! 

Microsoft

@ceantuco Unless you also have Azure or AD Rights Management Service (RMS) on-premises, you do not need to worry about this.

Steel Contributor

@Nino_Bilic no, we do not. Thanks for all your help! 

Copper Contributor

Download links are not working for the August SU V1 & V2 please fix.... 404 when attempting to click them

 

https://learn.microsoft.com/en-us/exchange/new-features/build-numbers-and-release-dates?view=exchser...

 

 

Managed to find a working link from the CVE Article.

 

https://www.microsoft.com/en-us/download/details.aspx?id=105536

Copper Contributor
Copper Contributor

Every Exchange server is now updated in production and it went smoothly as expected, however i still need to run the CVE-2023-21709.ps1 script.

 

 

Microsoft

@neilhoward84 Indeed, we are aware of the publishing system issue that made the KB articles go away (there are other KBs impacted too, not just Exchange ones). The links in this blog post still work but KBs are still currently not available.

Copper Contributor

Hi @Nino_Bilic,

Were you able to gather information from the IIS Team as requested by @Spacefish ?
"Is the IIS Team working on a fix of the TokenCacheModule which we can expect in the foreseable future ?"
Thanks for your update an follow up 😉

Brass Contributor

I'd like to know as well as I am seeing slower page load times and more "sluggishness" through OWA.

 

Thanks

Microsoft

@AntoMoreau and @JoshC189 We continue to work with relevant teams to figure out how, what and if there are additional changes that need to happen in this area. I understand that there is a bit of ambiguity, but I do not have anything more to share at this time.

We'd be very interested in understanding if you are seeing perf issues after disabling token cache. As every environment will be different, there is a possibility of this, especially if the environment was already running a bit "hot" before the change. We are not aware of significant impact of this change, though. It would be helpful if a ticket was opened if this change made a significant perf difference so we could investigate and have a look at perf logs before and after the change. Performance issues are especially tricky as variance in client use / mix between environments can make all the difference.

Microsoft

@neilhoward84 KBs are now back.

Brass Contributor

I'll see what perf logs I can setup and review vs. just "this feels slower/sluggish" and go from there.

 

Thanks

Copper Contributor

@Nino_Bilic We have the problem that our secretarys can not edit calendar meetings in other mailboxes after the Security Update.

The users have owner or edit rights on this mailboxes.

 

Their create the meeting in the calendar of their boss and send the meeting to other users in the org.

Than their would like to add further informations edit / input text in that meeting in other mailboxes (not in the mailbox who create the meeting).

 

On that other mailboxes their also owner or have edit rights. (Their are secretarys for a few users.) They don't edit the text in the owner mailbox calender, because the information their would add are not relevant for alle persons, only for the specific user.

 

Is this problem known? Maybe from other exchange admins?

Microsoft

@stetze We have tried to reproduce this and... actually, there is no difference between August 2023 SU (or not). In other words - both August and pre-August SUs behave the same and the meeting body is "read only" in that other recipient's mailbox...

After doing a bit more digging, I am wondering if this is what caused this change: https://support.microsoft.com/en-us/office/images-are-blocked-and-meeting-body-is-read-only-in-outlo... - in other words, when meeting is received, the meeting body is now read only after this Outlook security change... and if so, this is not a change related to Exchange SU.

Copper Contributor

I ran the CVE-2023-21709.ps1 script and there were no problems. I do have to say that I ran the script per server for safety reasons, because after running the script the CPU spikes went to 100%. I will continue to keep an eye on it, but for now everything looks good.

Co-Authors
Version history
Last update:
‎Oct 10 2023 10:11 AM
Updated by: