Released: March 2021 Exchange Server Security Updates
Published Mar 02 2021 01:08 PM 1.1M Views

Note: this post is getting frequent updates; please keep checking back. Last update: 3/19/2021

Microsoft has released a set of out of band security updates for vulnerabilities for the following versions of Exchange Server:

  • Exchange Server 2013
  • Exchange Server 2016
  • Exchange Server 2019

Security updates are available for the following specific versions of Exchange:

IMPORTANT: If manually installing security updates, you must install .msp from elevated command prompt (see Known Issues in update KB articles)

Because we are aware of active exploits of related vulnerabilities in the wild (limited targeted attacks), our recommendation is to install these updates immediately to protect against these attacks.

The vulnerabilities affect Microsoft Exchange Server. Exchange Online is not affected.

For more information, please see the Microsoft Security Response Center (MSRC) blog.

For technical details of these exploits and how to help with detection, please see HAFNIUM Targeting Exchange Servers. There is a scripted version of this check available on GitHub here.

 

Mitigations, investigation and remediation:

Are there any mitigations I can implement right now?

MSRC team has released a One-Click Microsoft Exchange On-Premises Mitigation Tool (EOMT). The MSTIC blog post called Microsoft Exchange Server Vulnerabilities Mitigations – March 2021 can help understand individual mitigation actions. A stand-alone ExchangeMitigations.ps1 script is also available.

How can I tell if my servers have already been compromised?

Information on Indicators of Compromise (IOCs) – such as what to search for, and how to find evidence of successful exploitation (if it happened), can be found in HAFNIUM Targeting Exchange Servers. There is a scripted version of this available on GitHub here.

More information about investigations

To aid defenders in investigating these attacks where Microsoft security products and tooling may not be deployed, we are releasing a feed of observed indicators of compromise (IOCs). The feed of malware hashes and known malicious file paths observed in related attacks is available in both JSON and CSV formats at the below GitHub links. This information is being shared as TLP:WHITE. CSV format and JSON format are available. 

What about remediation?

MSTIC team has (on March 6th) updated their blog post Microsoft Exchange Server Vulnerabilities Mitigations – March 2021 to include information about Microsoft Support Emergency Response Tool (MSERT) having been updated to scan Microsoft Exchange Server. Please download a new copy of MSERT often, as updates are made in the tool regularly! Please also see MSRC Guidance for responders: Investigating and remediating on-premises Exchange Server vulnerabilities.

 

Installing and troubleshooting updates:

Does installing the March Security Updates require my servers to be up to date?

Today we shipped Security Update (SU) fixes. These fixes can be installed only on servers that are running the specific versions listed previously, which are considered up to date. If your servers are running older Exchange Server cumulative or rollup update, we recommend to install a currently supported RU/CU before you install the security updates. If you are unable to get updated quickly, please see March 2021 Exchange Server Security Updates for older Cumulative Updates of Exchange Server.

How can I get an inventory of the update-level status of my on-premises Exchange servers?

You can use the Exchange Server Health Checker script, which can be downloaded from GitHub (use the latest release). Running this script will tell you if you are behind on your on-premises Exchange Server updates (note that the script does not support Exchange Server 2010).

Which of my servers should I update first?

Exploitation of the security vulnerabilities addressed in these fixes requires HTTPS access over the Internet. Therefore, our recommendation is to install the security updates first on Exchange servers exposed/published to the Internet (e.g., servers publishing Outlook on the web/OWA and ECP) and then update the rest of your environment.

Will the installation of the Security Updates take as long as installing an RU/CU?

Installation of Security Updates does not take as long as installing a CU or RU, but you will need to plan for some downtime.

My organization needs to 'get current' first... we need to apply a Cumulative Update. Any tips for us?

Please see the Upgrade Exchange to the latest Cumulative Update article for best practices when installing Exchange Cumulative Updates. To ensure the easiest upgrade experience (and because in many organizations Exchange and Active Directory roles are separate) you might wish to run /PrepareAD (in the Active Directory site that Exchange is a member of) before running the actual CU Setup. You can use this document as a guide to understand what you might have to do.

Errors during or after Security Update installation! Help!

It is extremely important to read the Known Issues section in the Security Update KB article (here and here depending on the version). If installing the update manually, you must run the update from the elevated command prompt. If you are seeing unexpected behavior, check the article addressing troubleshooting failed installations of Exchange security updates (we will keep updating this article).

 

Additional Q&A:

Are there any other resources that you can recommend?

Microsoft Defender Security Research Team has published a related blog post called Defending Exchange servers under attack which can help you understand some general practices around detection of malicious activity on your Exchange servers and help improve your security posture.

My organization is in Hybrid with Exchange Online. Do I need to do anything?

While those security updates do not apply to Exchange Online / Office 365, you need to apply those Security Updates to your on-premises Exchange Server, even if it is used for management purposes only. You do not need to re-run HCW if you are using it.

Do we need to install those updates on Management Tools only workstations or servers?

Machines with Management Tools only are not impacted (there are no Exchange services installed) and do not require installation of March SUs. Please note that a 'management server' which many of our Hybrid customers have (which is an Exchange server kept on premises to be able to run Exchange management tasks) is different. For Hybrid, please see the Hybrid question above.

The last Exchange 2016 and Exchange 2019 CU’s were released in December of 2020. Are new CU’s releasing in March 2021?

EDIT: Exchange Server 2016 CU 20 and Exchange Server 2019 CU 9 are now released and those CUs contain the Security Updates mentioned here (along with other fixes). Customers who have installed SUs for older E2016/2019 CUs can simply update to new CUs and will stay protected.

Are Exchange Server 2003 and Exchange Server 2007 vulnerable to March 2021 Exchange server security vulnerabilities?

No. After performing code reviews, we can state that the code involved in the attack chain to begin (CVE-2021-26855) was not in the product before Exchange Server 2013. Exchange 2007 includes the UM service, but it doesn’t include the code that made Exchange Server 2010 vulnerable. Exchange 2003 does not include the UM service.

 

Major updates to this post:

The Exchange Team

293 Comments
Steel Contributor

Where are the updates...? I don't see any download links here or in any related articles, there's nothing available with an update check on servers, and nothing new in the Update Catalog for Exchange since February.

Steel Contributor

https://support.microsoft.com/en-us/topic/description-of-the-security-update-for-microsoft-exchange-...

 

(Sorry for double post since we can't edit/delete here, but wanted this out there for others)

Microsoft

@ajc196 - downloads will be on the Microsoft Update soon. You can get them right away if you go to individual CVEs mentioned in the MSRC blog post: https://msrc-blog.microsoft.com/2021/03/02/multiple-security-updates-released-for-exchange-server/ 

Steel Contributor

@Scott Schnoll Thanks! Those links were non-functioning a short while ago but now work. Seems to have been the shuffle of taking things live ASAP.

Iron Contributor
Copper Contributor

Hi All

 

Questions:

1- Does anybody installed this patch?

2- Is it necessary to put the Exchange in Maintenance mode and  restart the server after apply the patch?

 

Thanks.

Steel Contributor

@Elvecio I've halfway through my servers, no issues thus far. Exchange security updates temporarily stop and disable all Exchange services, so definitely maintenance beforehand. All but one server I've updated wanted a reboot, and I rebooted that one anyway.

Microsoft

Thanks @ajc196 great to hear! That's how it should be. And yes, security updates should prompt for reboot.

Copper Contributor

Hi @ajc196 

Thanks for the information. If you have any new updates about your installation process, please share with us.

 

Thanks again.

Copper Contributor

The Article mentions updates are available for "Exchange Server 2010 (RU 31 for Service Pack 3 – this is a Defense in Depth update)" but I don't see a link to this update in the other attached articles https://msrc-blog.microsoft.com/2021/03/02/multiple-security-updates-released-for-exchange-server/%C... 

Brass Contributor

What is meant by "defense in depth" for the 2010 patch since it is clear the issues have not been fully patched since there are other patches for 2013, 2016 and 2019?  Am I save to assume only one part of the attack chain has been mitigated?  We have been struggling to get hybrid mode working to move off 2010 to Exchange Online since last year.

Microsoft
Microsoft

@EddieRowe Exchange 2010 is not vulnerable to the same attack chain as Exchange 2013/2016/2019, but there is a vulnerability that we have addressed for Exchange 2010 and our recommendation is to install the update.

I’m applying the updates to all my servers (2010/2013/2016/2019). The updates install OK, but it doesn’t ask for a restart. Is one required?

Copper Contributor

Are these security updates available for Exchange 2016 CU 16?  Or are these security updates to address vulnerabilities only in Exchange 2016 CU 18, 19; respectively. 

Microsoft only supports the current and last CU. You will need to install one of these CUs before you can install the update.

Iron Contributor

we are currently applying it and also no issues so far. 

Microsoft

@Jeff Guillet Our suggestion is to restart the server, yes. I have seen the update tell to reboot but I guess depending on the scenario...

Copper Contributor

Do these vulnerabilities exists in Exchange 2016 CU 16?

Microsoft

@pquan Yes, but you need to roll forward to apply the updates.

Copper Contributor

Thank you, @Nino Bilic 

Brass Contributor

We have some typos.  Description of the security update for Microsoft Exchange Server 2010 Service Pack 3: March 2, 2021 ... has a link to download Update Rollup 32 for Exchange Server 2010 SP3, but when you click on that link Download Update Rollup 3 For Exchange 2010 SP3 (KB5000978) from Official Microsoft Download Center says it is Rollup 3 instead of 32.

Microsoft

@EddieRowe Yeah that should be fixed now. I just had to reload the page and it says 32 now.

Copper Contributor

Installing on our first server to gauge the impact. Getting lots of "Files in use" errors. We're killing processes and retrying multiple times now.

Copper Contributor

So the Known Issue of applying it by double click breaking ECP/OWA... It's great the article warns you of that... would be better if it told you HOW TO FIX IT too!  Or where to find how to fix it.  So... anyone know how to fix it?!  

 

(Cancelled mid-way.  Rolled back.  Re-installed correctly, ECP is broken; OWA works).

Microsoft

@Keith-Work-711 and @LeeMEI - please make sure to check "KNOWN ISSUES" in the KB article talking about updates. This is not an issue with this particular update, rather - all security updates need to be run elevated if installed manually.

Copper Contributor

@Nino Bilic Thanks, but that's not really helpful.  As I said, it's great that it's a known issue.  That it's known that the update doesn't properly prompt for elevation and that it must be run from an elevated command prompt.  

 

What's done is done.  ECP is broken.  HOW DO WE FIX IT?  There's no mention of restoring ECP / OWA if you failed to run it initially from an elevated command prompt.  Why not? It would be helpful to folks who may not have read the blog but were, instead, told to install this update and ASSUMED it would properly elevate itself.

 

If we wait for the next CU and install that, will that fix it?  I'd rather not wait, but I assume the next CU is due soon...

@LeeMEI If ECP is broken, you might try resetting the ECP virtual directory. 

Copper Contributor

FYI we are running them from an elevated command prompt. Other servers have not had this issue of the "Files in use" and seem to have installed clean. Hopefully just a single server issue.

With my deepest respects, but Exchange has always needed patching like this, this isn't new.  I've always had to apply Exchange updates like this.  This isn't the first security update for Exchange, just the first zero day in the news in a long time.

Microsoft

@LeeMEI - Well, the article does give you some guidance around what to do if services are not starting (I might be assuming that ECP is not running because of this but I did not ask this before):

To fix this issue, use Services Manager to restore the startup type to Automatic, and then start the affected Exchange services manually.

Or are you saying that all services are running and still ECP does not work? Did the update actually successfully install (after elevated installation)?

@Keith-Work-711 My best practice is to always restart the server before I apply updates. That way all file locks are removed and you know the server is coming up healthy (or not) before the updates are applied.

Copper Contributor

@Susan Bradley while it's disappointing that updates for Exchange and potentially other products have this quirk, that's not what I'm really bothered by.  It's a known issue, so why isn't there a reference to how to resolve it if the problem is experienced?  I'm not trying to suggest the post should include in-depth resolutions to the potential issue(s), but rather, a brief note such as @Jeff Guillet suggests, resetting the virtual directory (assuming that works) or a link to another post concerning recovering from that issue should it have occurred.

 

I'm not looking to troubleshoot this here, so if Jeff's solution doesn't work, I'll be posting to other forums tomorrow.  Just frustrated that a known issue exists and Microsoft, while acknowledging it's a known issue, posts absolutely no information about recovering from it if it occurs.

Copper Contributor

@Nino Bilic Sorry if I'm coming across a little harsh.  As I read the post, it was not clear to me that the cause of the ECP or OWA not working would be stopped services.  I took the note below the install workaround instructions to be a possible side effect as I've seen that in the past, regardless of how the update was applied.  As the post says the issue occurs because some services aren't properly stopped, I thought that would likely mean some files wouldn't be appropriately updated/settings applied and, as such, the services break.  I would THINK a re-install of the patch (the second successful install I did of it) would resolve the issues.  Unfortunately, that has not been the case.

 

Yes, OWA works, but ECP is broken.  All services appeared to start properly (except POP/IMAP but we don't use them anyway).  Attempting to access ECP provides login, then redirects to a bad URL (http://localhost/owa/ecp) which returns an unhelpful error, Bad Request.  I expect it to redirect to

https://localhost/ecp/?ExchClientVer=15

 

I've since found it I go to https://localhost/ecp/?ExchClientVer=15 directly, everything works.  Seems it's just the handoff from the login to the admin center

 

Perhaps it's just bad timing and something else is wrong not related to the patch.

Microsoft

@LeeMEI Not a problem whatsoever; it sucks when things go wrong. It's great that you were able to figure that out! I have to admit that I do not know for sure what is up with this but at least it is not a real fire for you right now.

Copper Contributor

Hi all

 

for OWA

Please execute UpdateCas.ps1 in Exchange Install Patch

\Exchange Server\V15\Bin\UpdateCas.ps1

 

For ECP

the below link solve my problem

https://social.technet.microsoft.com/Forums/ie/en-US/44289975-878d-4f51-a73d-f38176ec714d/owa-sudden...

 

 

 

Copper Contributor

Patched our test Exchange 2013 CU 23 servers, no issues identified.

Copper Contributor

Windows 2016 DC, Exchange Svr 2016 CU17  and both servers are failing to install the KB5000871 with "The upgrade patch cannot be installed by the Windows Installer service because the program to be upgraded may be missing, or the upgrade patch may update a different version of the program.  Verify that the program to be upgraded exists on you computer and that you have the correct upgrade patch.   I have done both.  I have downloaded it from the Catalog and the Download Center and no difference.   Any ideas?

Copper Contributor

Hi Sraine, 

You will need Exchange Server 2016 (CU 19, CU 18). It  looks you have Exchange 2016 CU17.

Steel Contributor

The following article contains instructions for detecting whether CVE-2021-26855 exploitation has taken place

 

Import-Csv -Path (Get-ChildItem -Recurse -Path "$env:PROGRAMFILES\Microsoft\Exchange Server\V15\Logging\HttpProxy" -Filter '*.log').FullName | Where-Object {  $_.AuthenticatedUser -eq " -and $_.AnchorMailbox -like 'ServerInfo~*/*' } | select DateTime, AnchorMailbox

https://www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers/

The command is broken (it will never execute and generates a PowerShell continuation prompt (>>). This can be fixed by changing the double quote after $_.AuthenticatedUser -eq " to two single quotes '' - please update the article ASAP!

Import-Csv -Path (Get-ChildItem -Recurse -Path "$env:PROGRAMFILES\Microsoft\Exchange Server\V15\Logging\HttpProxy" -Filter '*.log').FullName | Where-Object {  $_.AuthenticatedUser -eq '' -and $_.AnchorMailbox -like 'ServerInfo~*/*' } | select DateTime, AnchorMailbox

 

Microsoft

@ChrisAtMaf Thank you - reported to that blog team...

Copper Contributor

Hi community,

 

A quick question: Is the Exchange 2016 CU17 affected by the release ?

Steel Contributor

@Nino Bilic No worries. The command picked up what looked like two attempts to exploit our server this morning, so it's important people run it!

Brass Contributor

Exchange 2016, and was on CU17....I tried to install straight to CU19, and get "The upgrade patch cannot be installed by the Windows Installer service because the program to be upgraded may be missing, or the upgrade patch may update a different version of the program.  Verify that the program to be upgraded exists on you computer and that you have the correct upgrade patch"

Installed CU18 just fine...and I thought the rollups were cumulative anyhow, hence why I tried to go straight the CU19.  So, I am not on CU18, and cannot get to CU19....what is "missing" ?

Copper Contributor

We have Exchange redirecting to ADFS for user authentication. Can this vulnerability still be exploited in this configuration?

 

Copper Contributor

Has anyone had issue where autodiscover ews are throwing 500 errors? 

 

I fixed the ECP issue now I'm just struggling to get fat clients connected.

 

 

Thanks. 

Copper Contributor

If the Exchange environment and all https Services like OWA,ECP etc. behind a Web-Application Module like Big-IP from F5. Is there the same risiko for this vulnerabilities ?

Copper Contributor

Trying to update our Exch 2013 CU23 server, and am getting this error.:

 

This upgrade patch cannot be installed by the Windows Installer service because the program to be upgrade may be missing, or the upgrade patch may update a different version of the program. Verify that the program to be upgraded eists on your computer and that your have the correct upgrade path.

I tried running the install troubleshooter, and FixMissingMSI app to see if there were fixes or corrupt registry entries, no dice. Any ideas?

Microsoft

@Nando90 Yes it is impacted, but you need to go to a later CU to be able to install the update

Co-Authors
Version history
Last update:
‎Mar 19 2021 01:44 PM
Updated by: