Zero Day Vulnerabilities Discovered in all Versions of Microsoft Exchange Server

Microsoft has detected multiple 0-day exploits being used to attack on-premises versions of Exchange Server in limited and targeted attacks. In the campaigns observed, threat actors used this vulnerability to access on-premises Exchange servers, which enabled access to email accounts, and install additional malware to facilitate long-term access to victim environments.  Microsoft Threat Intelligence Center (MSTIC) attributes this campaign with high confidence to HAFNIUM, a group assessed to be state-sponsored and operating out of China, based on observed victimology, tactics, and procedures.

Because Microsoft is aware of active exploits of related vulnerabilities in the wild (limited targeted attacks), Microsoft released security updates for four different Exchange Server vulnerabilities. Microsoft strongly urge customers to update on-premises Exchange servers immediately to protect against these exploits and prevent future abuse across the ecosystem.  Even though Microsoft has worked quickly to deploy an update for the HAFNIUM exploits, it is known that many nation-state actors and criminal groups will move quickly to take advantage of any unpatched systems for years to come. Promptly applying the security updates is the best protection against this attack.

To stress the importance of this issue, Microsoft conducted a series of webcasts earlier today, at least in the APAC and EMEA regions. Hand-out of the webcast is available at https://aka.ms/ExOOB.

A few remarks:

  • All Exchange server versions are affected and the exploit has been detected on Exchange 2013, Exchange 2016 and Exchange 2019.
  • If you have restricted your firewall to Microsoft only (when running Exchange hybrid) you are less vulnerable, but the risk is not reduced to zero.
  • Updates are available for the current CU and the CU before. If you are on an older version of Exchange, please upgrade to the current CU before you can install this Security Update. If you run a really old version of Exchange you will run into .NET Framework update issues. Please use the overview of fellow MVP Michel de Rooij: Upgrade Paths for CU’s & .NET | EighTwOne (821)

Updates are available for :

Please note that the security updates are CU specific. Also, Security Updates are cumulative, so this security update contains previous security updates as well.

Installation is straightforward, download the update from the Microsoft website (but I already saw it appear in our WSUS environment this morning) and install it. Personally I start the update from an elevated command prompt. Installation is the same on Windows 2019 server core as well as Windows 2019 Desktop Experience.

If you have Exchange servers in a DAG, don’t forget to put them in maintenance mode first. After installation the Exchange servers need to be rebooted.

More information, including CVE information can be found on:

Released: March 2021 Exchange Server Security Updates – Microsoft Tech Community

Multiple Security Updates Released for Exchange Server – Microsoft Security Response Center

Description of the security update for Microsoft Exchange Server 2019, 2016, and 2013: March 2, 2021 (KB5000871)

HAFNIUM targeting Exchange Servers with 0-day exploits – Microsoft Security

4 thoughts on “Zero Day Vulnerabilities Discovered in all Versions of Microsoft Exchange Server”

  1. Hi Jaap

    Thank you for your informative post. Does the security patch also apply to Exchange server with only Mailbox Role as well?

    I’ve tested the patch on a lab environment after upgrading to the latest CU i.e. 23, and for some reason, after patching the Exchange mailbox server 2013, the ECP/OWA applications stop working (runtime error) but when uninstalling the patch, ECP is restored

    Thank you
    Jabu

    Like

    1. Yes, you should install the patch on all servers.
      Regarding the OWA/ECP issue, are you sure you installed the patch with the elevated privileges? Start a command prompt with ‘run as administrator’ and from there start the patch.

      Like

      1. I think I’ve installed the patch using elevated privileges but I’ll try again and revert

        Like

  2. Looks like I didn’t install the patch using elevated privileges the first time, just worked now

    Thank you

    Like

Leave a Reply

Please log in using one of these methods to post your comment:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s