Blog Post

Exchange Team Blog

6 MIN READ

Released: March 2021 Exchange Server Security Updates

The_Exchange_Team

Microsoft

Mar 02, 2021

Note: this post is getting frequent updates; please keep checking back. Last update: 3/19/2021

Microsoft has released a set of out of band security updates for vulnerabilities for the following versions of Exchange Server:

Exchange Server 2013
Exchange Server 2016
Exchange Server 2019

Security updates are available for the following specific versions of Exchange:

IMPORTANT: If manually installing security updates, you must install .msp from elevated command prompt (see Known Issues in update KB articles)

Because we are aware of active exploits of related vulnerabilities in the wild (limited targeted attacks), our recommendation is to install these updates immediately to protect against these attacks.

The vulnerabilities affect Microsoft Exchange Server. Exchange Online is not affected.

For more information, please see the Microsoft Security Response Center (MSRC) blog.

For technical details of these exploits and how to help with detection, please see HAFNIUM Targeting Exchange Servers. There is a scripted version of this check available on GitHub here.

Mitigations, investigation and remediation:

Are there any mitigations I can implement right now?

MSRC team has released a One-Click Microsoft Exchange On-Premises Mitigation Tool (EOMT). The MSTIC blog post called Microsoft Exchange Server Vulnerabilities Mitigations – March 2021 can help understand individual mitigation actions. A stand-alone ExchangeMitigations.ps1 script is also available.

How can I tell if my servers have already been compromised?

Information on Indicators of Compromise (IOCs) – such as what to search for, and how to find evidence of successful exploitation (if it happened), can be found in HAFNIUM Targeting Exchange Servers. There is a scripted version of this available on GitHub here.

More information about investigations

To aid defenders in investigating these attacks where Microsoft security products and tooling may not be deployed, we are releasing a feed of observed indicators of compromise (IOCs). The feed of malware hashes and known malicious file paths observed in related attacks is available in both JSON and CSV formats at the below GitHub links. This information is being shared as TLP:WHITE. CSV format and JSON format are available.

What about remediation?

MSTIC team has (on March 6th) updated their blog post Microsoft Exchange Server Vulnerabilities Mitigations – March 2021 to include information about Microsoft Support Emergency Response Tool (MSERT) having been updated to scan Microsoft Exchange Server. Please download a new copy of MSERT often, as updates are made in the tool regularly! Please also see MSRC Guidance for responders: Investigating and remediating on-premises Exchange Server vulnerabilities.

Installing and troubleshooting updates:

Does installing the March Security Updates require my servers to be up to date?

Today we shipped Security Update (SU) fixes. These fixes can be installed only on servers that are running the specific versions listed previously, which are considered up to date. If your servers are running older Exchange Server cumulative or rollup update, we recommend to install a currently supported RU/CU before you install the security updates. If you are unable to get updated quickly, please see March 2021 Exchange Server Security Updates for older Cumulative Updates of Exchange Server.

How can I get an inventory of the update-level status of my on-premises Exchange servers?

You can use the Exchange Server Health Checker script, which can be downloaded from GitHub (use the latest release). Running this script will tell you if you are behind on your on-premises Exchange Server updates (note that the script does not support Exchange Server 2010).

Which of my servers should I update first?

Exploitation of the security vulnerabilities addressed in these fixes requires HTTPS access over the Internet. Therefore, our recommendation is to install the security updates first on Exchange servers exposed/published to the Internet (e.g., servers publishing Outlook on the web/OWA and ECP) and then update the rest of your environment.

Will the installation of the Security Updates take as long as installing an RU/CU?

Installation of Security Updates does not take as long as installing a CU or RU, but you will need to plan for some downtime.

My organization needs to 'get current' first... we need to apply a Cumulative Update. Any tips for us?

Please see the Upgrade Exchange to the latest Cumulative Update article for best practices when installing Exchange Cumulative Updates. To ensure the easiest upgrade experience (and because in many organizations Exchange and Active Directory roles are separate) you might wish to run /PrepareAD (in the Active Directory site that Exchange is a member of) before running the actual CU Setup. You can use this document as a guide to understand what you might have to do.

Errors during or after Security Update installation! Help!

It is extremely important to read the Known Issues section in the Security Update KB article (here and here depending on the version). If installing the update manually, you must run the update from the elevated command prompt. If you are seeing unexpected behavior, check the article addressing troubleshooting failed installations of Exchange security updates (we will keep updating this article).

Additional Q&A:

Are there any other resources that you can recommend?

Microsoft Defender Security Research Team has published a related blog post called Defending Exchange servers under attack which can help you understand some general practices around detection of malicious activity on your Exchange servers and help improve your security posture.

My organization is in Hybrid with Exchange Online. Do I need to do anything?

While those security updates do not apply to Exchange Online / Office 365, you need to apply those Security Updates to your on-premises Exchange Server, even if it is used for management purposes only. You do not need to re-run HCW if you are using it.

Do we need to install those updates on Management Tools only workstations or servers?

Machines with Management Tools only are not impacted (there are no Exchange services installed) and do not require installation of March SUs. Please note that a 'management server' which many of our Hybrid customers have (which is an Exchange server kept on premises to be able to run Exchange management tasks) is different. For Hybrid, please see the Hybrid question above.

The last Exchange 2016 and Exchange 2019 CU’s were released in December of 2020. Are new CU’s releasing in March 2021?

EDIT: Exchange Server 2016 CU 20 and Exchange Server 2019 CU 9 are now released and those CUs contain the Security Updates mentioned here (along with other fixes). Customers who have installed SUs for older E2016/2019 CUs can simply update to new CUs and will stay protected.

Are Exchange Server 2003 and Exchange Server 2007 vulnerable to March 2021 Exchange server security vulnerabilities?

No. After performing code reviews, we can state that the code involved in the attack chain to begin (CVE-2021-26855) was not in the product before Exchange Server 2013. Exchange 2007 includes the UM service, but it doesn’t include the code that made Exchange Server 2010 vulnerable. Exchange 2003 does not include the UM service.

Major updates to this post:

3/19/2021: Added a link to Guidance for responders: Investigating and remediating on-premises Exchange Server vulnerabilities
3/17/2021: Removed the mention of CompareExchangeHashes.ps1 script (deprecated). Added a Q&A pair for Management Tools only machines.
3/16/2021: Added a note about Exchange 2016 CU 20 and Exchange 2019 CU 9
3/15/2021: Added a link to One-Click Microsoft Exchange On-Premises Mitigation Tool (EOMT)
3/12/2021: Added a Q&A pair for Exchange 2003/2007
3/11/2021: Added a note about final list of SU releases for out of support CUs
3/10/2021: Added a note that the MSERT tool should be downloaded often as it gets updated regularly
3/9/2021: Added a link to ExchangeMitigations.ps1 mitigation script and CompareExchangeHashes.ps1 file hashes check script.
3/8/2021: Added a link about Updates for older Cumulative Updates of Exchange Server and information about a feed of observed indicators of compromise (IOCs).
3/8/2021: Added a link to the guide that can help with steps that need to be taken to get current and update
3/8/2021: Added a note about elevated CMD prompt installation of .msp files
3/7/2021: Reorganized information to make it easier to navigate
3/6/2021: Added information about MSERT tool to help with remediation
3/6/2021: linked to an article about troubleshooting failed installations of Exchange security updates
3/5/2021: linked to the new MSTIC blog post on Vulnerability Mitigations

The Exchange Team

Updated Mar 19, 2021

Version 44.0

Microsoft

Joined April 19, 2019

View Profile

Exchange Team Blog

You Had Me at EHLO.

293 Comments

Sam_T
Iron Contributor
Apr 17, 2021
@Nino Bilic Hello Nino. KB5001779, just like KB5000871 is not visible by running get-hotfix or by looking for updates in WAC when installed on a Windows 2019 Core server. This is not a problem with other Windows Server security hotfixes - only with Exchange hotfixes. This is an issue for administrators, installers, etc. When will this be addressed? Do you see the same thing on your Windows 2019 Core servers?
reaper111
Copper Contributor
Apr 12, 2021
Hi The_Exchange_Team , recently @ PWN2OWN 2021 there was a competition, to hack Exchange Servers.
Is there a plan to release some other 0-day patches to fix these citritical bugs ?
https://www.zerodayinitiative.com/blog/2021/4/2/pwn2own-2021-schedule-and-live-results

Thank you in advance
Elijah_Nakpil
Copper Contributor
Apr 06, 2021
Hi, we are only utilising smtp relay for our exchange 2016 cu19 and currently no mailbox. We have successfully updated the security patch. We have confirmed that if virtual directory like ews has external url set. Do you recommend for us to remove the externalurl set for our ews to make sure no doors are open for possible 443 attacks?
Sam_T
Iron Contributor
Mar 21, 2021
@Katbert That's normal for hotfixes that are issued between CU's. You should also see it by running get-hotfix.

The problem on Exchange 2019 on Windows 2019 Core is that the KB5000871 update does not show up when checking for it via typical methods.
i.e. get-hotfix or looking for it under the server updates in the Windows Admin Center.
Katbert
Copper Contributor
Mar 21, 2021
Sam_TYes, I see KB5000871 as installed update in Control Panel
Sam_T
Iron Contributor
Mar 21, 2021
Katbert Does it show up under Installed Updates ? (Control Panel)
Katbert
Copper Contributor
Mar 21, 2021
After successfull installation of KB5000871 for Exchange 2013 CU23, server version was not changed
Get-ExchangeServer | Select Name, AdminDisplayVersion
Name AdminDisplayVersion
---- -------------------
EXCH Version 15.0 (Build 1497.2)

Is it normal?
itsupport-bhms
Copper Contributor
Mar 20, 2021
in addition of using MSERT to scan for infected files, I also use THOR-LITE. I found that this tool can found infected files that MSERT cannot find

Here is the link New Detection Rules for Exchange Exploitation Activity (https://www.nextron-systems.com/blog/)
HMITSUPP
Copper Contributor
Mar 20, 2021
Hi,

I just had a look at this page that list
https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Sample%20Data/Feeds/MSTICIoCs-ExchangeServerVulnerabilitiesDisclosedMarch2021.csv
2021-03-19,,C:\Program Files\Microsoft\Exchange Server\V15\FrontEnd\HttpProxy\ecp\auth\TimeoutLogout.aspx
I found this file on the server but MSERT full scan says clean. The file is dated 30/4/18. Is that mean that's the real file on the server?

Are these files looks suspicious that has App_Web_outlooken.aspx.f5dba9b9.uicm1h4n.0.js and others? MSERT also says clean.

Thanks.
Hendri
HMITSUPP
Copper Contributor
Mar 19, 2021
Hi,
I have Exchange 2016, upgraded to CU19 then install patch KB5000871 on 5th March. I thought that is safe.
Yesterday, I ran Test-ProxyLogon.ps1 and reported some suspicious activity for CVE-2021-26855 and CVE-2021-27065. However, it all dated (3rd & 4th) prior the CU update and patch.
Then I ran EOMT.ps1, reported clean. MSERT quick scan and I redo full scan, both confirmed clean. I double check targeted folders (C:\inetpub\wwwroot\aspnet_client as well system_web folder, FrontEnd\HttpProxy\owa\auth and ecp\auth) none of the suspicious files. Except there is one OutlookEN.aspx inside owa\auth. The date created and modified is 19/11/20, exactly the same as other legit aspx (logoff, logon, OutlookCN). This file is hidden in Explorer. Not visible in cmd. Is this OutlookEN.aspx legit?
But listed in https://gist.github.com/JohnHammond/0b4a45cad4f4ed3324939d72dc599883 (list of webshell)

In the Event Log, I can see many attempts to ASP.NET 4.0.30319.0 try to execute ecp\j.js (and random.js) which doesn't exist.

Any thought?

Thanks in advance.
Hendri