Forum Discussion
Exchange Server Vulnerability - Vulnerable Schema Class (CVE-2021-34470)
Howdy ! Exchange Brain Trust,
Working with a customer who's fully on 365 with no Exchange servers left on-prem but the Vulnerable Schema Class exists from a previous implementation of Exchange.
Even after uninstallation of all Exchange servers, the schema extensions made by Exchange to the Active Directory are not removed. Therefore, customer is currently vulnerable to CVE-2021-34470 and should execute this script to address this vulnerability.
If anyone have dealt with this before or can help me clarifying what implications this change can have to the normal operations and future objects provisioning (or any risk at all to the environment), that'd be really appreciated!.
Changes: Schema Modification
If the -ApplyFix parameter is used, the script modifies the schema by clearing the possSuperiors propertyof the ms-Exch-Storage-Group entry.
Thank you!
- The possSuperiors attribute defines the list of possible superior objects that a specific object can have.
Clearing this attribute prevents the object type from being bound to specific superior objects.
Such a change removes the vulnerability and enhances security.
Thus, by safely modifying the schema, the CVE-2021-34470 vulnerability can be resolved.
