Released: March 2021 Exchange Server Security Updates

Hi,

I see that there is no Security patch for Server 2016 under CU18, does this mean these servers are not affected by this vulnerability?

Thanks!

Regards Bas

@baskleian That is not correct; ALL versions are affected. Only CU18 and 19 for E2016 can apply the security update.

@Nino Bilic , Thanks for the quick response!

Hi, Our Exchange servers are on Exchange 2016 CU19.  The February Security Updates for CU19 were not installed.  Does this security update need to be installed before the March 2 Security Update? or are they included in the March 2 update as well? 

Hi,

Please clarify this statement:

"The initial attack requires the ability to make an untrusted connection to Exchange server port 443"

The media seems interprets this as being able to make an untrusted HTTP (aka not encrypted) connection to an HTTPS port.

Many of us use SSL-offloading/SSL-bridging reverse Proxies (F5 Big-IP, Citrix Netscaler, Kemp, nginx, Apache, HAProxy.....and also some cloud services as Azure Application Proxy or be it also CDNs like Cloudflare etc.) to get Exchange hooked up to the internet and do SSL bridging.
By nature these technologies prevent HTTP connections to HTTPS ports.

Or, do you mean by "untrusted connections" that the user is not authenticated?

If yes:

Many of us also use these technologies to do pre-authentication before anyone can access anything anonymously on port 443 (there was also a question about ADFS some posts before, I might add the question what if we do pre-authentication with Azure AD?).

Are these users protected, or does this issue concern those web API connections to EWS/OAB/ECP/ActiveSync where we have to turn off pre-authentication since this would break those services?

Just asking out of curiosity, I know the vulnerability still exists of anyone can access the server directly from LAN.

Also, because everybody around me is hyping/freaking out, even though many have such technologies in place.

I guess nobody with will hook up an Exchange server to the Internet just by Port-forwarding the port 443 on the firewall directly to the server, or by configuring a public IP address on the server's network interface and connect it directly to the provider switch, at least not in the last 10 years. (Hell, we were doing that since ISA 2000).

Marc

Import-Csv -Path (Get-ChildItem..... script from https://www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers/

for CVE-2021-26855 gives results which alerts me first, but then noticed it is for port 444 which is not even accessible from outsid, this was with log entry before running the patch for Exchange 2013.

@Ma-Po While customers might use various products that partially mitigate the original attack vector in their environment, it is important to understand that the details of vulnerabilities are now public. In addition to the fact that we cannot speak to exact combination of 3rd party product that might or might not mitigate some of those vulnerabilities, administrators should realize that Exchange is still vulnerable if not updated, and different attack vectors could exist. Our strong recommendation is to update the servers immediately.

@Joester80 March security updates include February security fixes. Health Checker script should indicate all is well once March fixes are installed.

Do these vulnerabilities affect servers with a perimeter transport role?

@Frachamer The original attack vector was not via the SMTP / transport. Note that all of the vulnerabilities are now public so there might be more attack vectors now. Update to remove vulnerabilities!

HI Guys,

Unfortunately I have updated our Q environment with non elevated command line and after the update the ECP is stopped working. 

I am getting the following error message:

"

Server Error in '/ecp' Application.

Runtime Error
Description: An exception occurred while processing your request. Additionally, another exception occurred while executing the custom error page for the first exception. The request has been terminated."

Could you please help me with a workaround. I have tried to rebuild the ECP Virtual Directories, but have the same issue. Should I install again the security patch now with elevated command line?

Thank you for your help!

@Nino Bilic ,

Hi my current version is Exchange 2016 CU15 is running as an Hybrid server.

Can you help me with to upgrade CU15 to CU18 do I need to update the PrepareSchema, PrepareAD, PrepareDomain and post upgrade to CU18 does it retain my Hybrid configuration as it is or do I need to re-run the HCW again.

Thanks and Regards

Anand Sunka

@HYper83 Please see the "Known issues" section on the update KB (this should not be a problem if update is installed from Microsoft Update): Description of the security update for Microsoft Exchange Server 2019, 2016, and 2013: March 2, 2021...

@ANAND_SUNKA There are no schema changes between CU15 and CU18 as per this. You do not need to re-run HCW, no.

@Nino Bilic : Thank you for your answer. I know, but unfortunately it already happened and I just asking for a fix/workaround.

@HYper83 Well, the KB says - there might be services that are not started, start them manually. Re-installing the update elevated is a good thing followed by server reboot. There were some other comments earlier on this blog with a few other things to check (please look)

@Nino Bilic ,

So simply I can start upgrading the CU18 without running PrepareSchema, PrepareAD, PrepareDomain.

Regards

Anand Sunka

the powershell script returns the following for me about port 444 as well, is that a sign of the attack?

2021-02-28T16:52:08.630Z ServerInfo~a]@servername:444/ecp/proxyLogon.ecp?#
2021-03-03T14:12:30.413Z ServerInfo~a]@servername:444/autodiscover/autodiscover.xml?#

Hi,

i am going through chat and still confused is this update is apply to us or not.

we have Exchange 2010 sp3 and we did not have nay role up. as per security patch description "

Update Rollup 32 for Exchange Server 2010 Service Pack 3 (SP3) resolves issues that were found in Exchange Server 2010 SP3 RU29 since the software was released"

Do i still need to update our exchange even we do not have any role up installed and is it going to install this role up because we do not have role up installed.

Thanks

I have exchange installed on D: and the OS installed on C: do I patch this to the OS drive or the drive with exchange installed on it?

@The_Exchange_Team 

link Description of the security update for Microsoft Exchange Server 2019, 2016, and 2013: March 2, 2021... list 7 security update. when I click each one and try to download each security update it download same file. Exchange2013-KB5000871-x64-en (for E2K13CU23)

Does this mean this one file fix all 7 security issue listed on site?

• CVE-2021-26412 Microsoft Exchange Server Remote Code Execution Vulnerability

• CVE-2021-27078 Microsoft Exchange Server Remote Code Execution Vulnerability

• CVE-2021-26854 Microsoft Exchange Server Remote Code Execution Vulnerability

• CVE-2021-26855 Microsoft Exchange Server Remote Code Execution Vulnerability

• CVE-2021-27065 Microsoft Exchange Server Remote Code Execution Vulnerability

• CVE-2021-26857 Microsoft Exchange Server Remote Code Execution Vulnerability

• CVE-2021-26858 Microsoft Exchange Server Remote Code Execution Vulnerability

@ChrisAtMaf @The_Exchange_Team 

Thank you  for correcting powershell command. I was also getting >> earlier. After running your updated command 

Import-Csv -Path (Get-ChildItem -Recurse -Path "$env:PROGRAMFILES\Microsoft\Exchange Server\V15\Logging\HttpProxy" -Filter '*.log').FullName | Where-Object {  $_.AuthenticatedUser -eq '' -and $_.AnchorMailbox -like 'ServerInfo~*/*' } | select DateTime, AnchorMailbox

it ran and gave nothing that means no effected correct?

I have two exchange 2013 cu 23, diferent client, update failed and now exchange do not start. Trying reinstall cu23, setup failed with error. Exchange 2013 standard on Windows Server 2012 r2 cz. please help

does not work for me.

exchange 2019 CU8 (DE)

Security Update For Exchange Server 2019 CU8 (KB5000871) – Fehler 0x80070643

Patching all my servers went mostly trouble-free last night, but I did see something that I have never seen before on one server running Exchange 2013 CU23. The update initially failed for a reason I couldn't discern, and then rolled back. But then subsequent attempts would give me an "update prematurely ended" error when it was attempting (and failing) to stop services.  Same error if I tried uninstalling the current CU23 security patch from 2020.  Only errors I found were an error 1603 from msiexec (this was not a simple elevation issue in this case, which is what every Google result on Earth seemed to suggest), and another error logs from msiexec suggesting the Exchange config was invalid.  Exchange Powershell, which was previously working, was also failing to connect locally on the server.

Don't ask me how I finally found it, but it turns out the initial failure seems to have deleted & did not replace 9 DLLs from [ExchangeInstallPath]\V15\bin:

Microsoft.Dkm.Proxy.dll
Microsoft.Exchange.Clients.Common.dll
Microsoft.Exchange.Connections.Common.dll
Microsoft.Exchange.Connections.Eas.dll
Microsoft.Exchange.Connections.Imap.dll
Microsoft.Exchange.Connections.Pop.dll
Microsoft.Exchange.Data.ImageAnalysis.dll
Microsoft.Exchange.Data.Mapi.dll
Microsoft.Exchange.Data.ThrottlingService.Client.dll

I copied them over from a known working pre-update Exchange 2013 CU23 server, and then the security update applied without a hitch, and all Exchange services appeared fine afterward.

A charitable organization I volunteer with has an ancient Exchange 2003 installation.  SMTP comes in through a standalone mail gateway but is delivered to the Exchange server, which is published to the internet for OWA and ActiveSync.  Are versions as far back as 2003 affected?  If so, are there any mitigations that can be done short of removing external access and/or retiring the server?

@DStragand We have no information one way or the other. Please get them off Exchange 2003.

@Bhavesh Shah There is only one update package which will install it all

When I run the command

Import-Csv -Path (Get-ChildItem -Recurse -Path "$env:PROGRAMFILES\Microsoft\Exchange Server\V15\Logging\HttpProxy" -Filter '*.log').FullName | Where-Object {  $_.AuthenticatedUser -eq '' -and $_.AnchorMailbox -like 'ServerInfo~*/*' } | select DateTime, AnchorMailbox

I get the following error

Import-Csv : The member "40" is already present.
At line:1 char:1
+ Import-Csv -Path (Get-ChildItem -Recurse -Path "$env:PROGRAMFILES\Mic ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : NotSpecified: (:) [Import-Csv], ExtendedTypeSystemException
    + FullyQualifiedErrorId : AlreadyPresentPSMemberInfoInternalCollectionAdd,Microsoft.PowerShell.Commands.ImportCsvC
   ommand

Anyone have a fix for that?

Trying to install this on a 2019 CU7 and a 2013 CU23 server and both are still sitting there after an hour "Computing space requirements". Has anyone else had this?

When will CU20 for Exchange 2016 be released in March?

Is it on patch Tuesday, March 9th?

Does anyone know like csummers83 also asked if the script

Import-Csv -Path ...

gives results for port 444, does it mean something could have been taken or was just tried?

Port 444 on Exchange 2013 is the Exchange Back end port and is not open to internet.

Hi There,

I was able to successfully apply the patch for Exchange 2010 on a 2008R2 server. However after the multiple reboots to apply the config/updates it then failed and proceeded to rollback the changes.

Has anyone else experienced this?

Thanks

@Jon Skelton That's the plan but it is not set in stone; you should NOT WAIT for next set of CUs!

I wrote an article with important things to know, best practices, and helpful tips for deployment here.

https://blog.expta.com/2021/03/urgent-patch-your-exchange-servers-now.html

I tried to install this patch on an Exchange 2016 server running on Windows Server 2016 and it failed catastrophically. I first updated to the latest CU, restarted the server, and tested to confirm everything was working. Then I tried to manually run the KB5000871 installer. It kept giving errors about processes related to Windows services that needed to be killed. I killed them and clicked "Retry" to continue the update but the update would start over and then come up with the same error because the services were being triggered to start by something in the OS. I disabled the services so they couldn't run and installed the update. After that, the Exchange server was hosed. Luckily, it's a VM and I had taken a checkpoint right before installing KB5000871. I tried removing KB5000871, restarting, and having Windows update check for updates but it didn't find KB5000871 as an available update. Now I've got a client who is scared to death that their server is going to be compromised and I have to tell them I can't get the update installed because it seems that no matter what you do, it won't install properly if you try to manually run the patch.

@Jeff Guillet 

should this be run on all servers or will it gather info from all in the environment?

I am also curious about if the "import-csv -path (get..." PowerShell command finds '444' entries. Example:  SeverInfo~a]@server FQDN:444...

I am getting an out of memory error before the script finishes reading all log files.

Insufficient memory to continue the execution of the program.
At line:1 char:1
+ Import-Csv -Path (Get-ChildItem -Recurse -Path "E:\Program Files\Microsoft\Excha ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : OperationStopped: (:) [], OutOfMemoryException
+ FullyQualifiedErrorId : System.OutOfMemoryException

@csummers93 It needs to be run directly on each Exchange Server. It already takes about 30 minutes to run. It would take days to run against remote servers.

@Jeff Guillet thanks for this, taking some time to run but certainly easier than checking all CVs individually.

I do get this return for CVE-26855, does it mean anything?

Import-Csv : Could not find file 'C:\Program Files\Microsoft\Exchange Server\V15\Logging\HttpProxy\Mapi\HttpProxy_2021020123-1.LOG'.

Going from 2013 CU9 to CU23 then applying the patch.  I have the .net 4.7.2 and the Microsoft Visual C++ 2013 Redistributable (x64) ready to install.

2 Node DAG

@Nino Bilic Any gotcha's for this? Looks like I don't need to extend Schema?

@RonanD560 Schema updates no but note the CU 22 change here. Also make sure that if you are not installing updates from Microsoft Update to follow the Known Issues from the update KB article and run the installer from elevated CMD prompt.

@csummers93 Safe to ignore. On a heavily used Exchange Server, some of the log files are groomed (deleted) before they are processed.

@Jeff Guillet OK so I think we're good if we ignore the could not find file errors, of coarse there could have been something in logs that already got truncated I suppose

@Nino Bilic Thanks for the response! Just to clarify we are going straight to CU23 so no need to prep AD at all?

As far as the 2 Node DAG goes,

1. Place the server in maintenance mode

2. Install .Net 4.7.2 

3. Install Microsoft Visual C++ 2013 Redistributable (x64) 

4. Install CU23

5. Reboot server?

6. Install KB Patch.

Test moving DB's over from Node 1 (not patched) to Node 2 (Patched).  Should I let it bake in and test stability? If all clear rinse repeat for the unpatched node? 

And thanks for all the help!  Appreciate you!

CU18 with latest patch... We are on it :)  @Jeff Guillet  @Nino Bilic 

@RonanD560 This is the way!
(add 7. Reboot the server; the fix should tell you to but if it does not - do it anyway)

We're well behind on our CU's 2016 CU5, can you add an additional 2016 server CU19 and use that as the front end and migrate mailboxes to that? Can CU5 and CU19 coexist, schema issues?

Can specific URL's be blocked to mitigate this, such as /EWS, untrusted HTTPS connections to what?

We installed the RU32 for Exchange 2010 SP3 (previously RU30) running on Server 2008 R2 x64 and we are not able to open mailboxes on the the Exchange server via OWA afterwards.  We are working on getting to Exchange Online...have multiple tickets open for multiple issues with hybrid mode since we want to get off this unsupported OS and app.

1. Open elevated command prompt.
2. Install RU32.
3. Reboot.
4. Open mailbox with Outlook = no issues.  Logon OWA successfully, but unable to see any mailbox contents.  Error message "The mailbox you're trying to access isn't currently available. If the problem continues, contact your helpdesk."
5. Uninstall RU32.
6. Reboot.
7. Open mailbox with Outlook = no issues.  Logon OWA successfully & no issues.

Just a heads-up for those doing the install on Ex2016 servers: Upgraded a single Ex2016 CU17 Standard and single Ex2016 CU17 Enterprise to CU19 last night, then installed KB5000871. Both CU19 installs borked my ECP & OWA workspaces; KB5000871 also failed to set the HostControllerService on both systems to Automatic, leaving it at Disabled.  Today I re-downloaded CU19 and KB5000871 and reinstalled on our Ex2016 Enterprise box; the re-installation fixed the non-service issues I couldn't resolve on my own, and I verified that it was the KB5000871 installation that (again) disabled the HostControllerService and didn't re-enable it.

I plan to reinstall CU19 and KB5000871 on the already updated Ex2016 Standard box, and will update the #2 Ex2016 Enterprise server tomorrow night.

Be sure to check out your Services for any that were left Disabled as part of either installation AFTER rebooting and before taking the Exchange Server out of maintenance mode.  Thanks.