There we go again…. Last week there has been some rumor going on about pwn2own 2021, some kind of security contest to find any security issues in software products and according to this statement taken from the pwn2own site, vulnerabilities were found in Exchange:
“SUCCESS – The DEVCORE team combined an authentication bypass and a local privilege escalation to complete take over the Exchange server. They earn $200,000 and 20 Master of Pwn points.”
Today Microsoft released security updates for Exchange 2013, Exchange 2016 and Exchange 2019 that addresses security vulnerability found recently. The following Remote Code Execution vulnerabilities are fixed with these updates:
You can find more information and the download links in the following table.
|Exchange version||Download||KB Article|
|Exchange 2019 CU9||https://www.microsoft.com/en-us/download/details.aspx?id=103004||KB5001779|
|Exchange 2019 CU8||https://www.microsoft.com/en-us/download/details.aspx?id=103003||KB5001779|
|Exchange 2016 CU20||https://www.microsoft.com/en-us/download/details.aspx?id=103002||KB5001779|
|Exchange 2016 CU19||https://www.microsoft.com/en-us/download/details.aspx?id=103001||KB5001779|
|Exchange 2013 CU23||https://www.microsoft.com/en-us/download/details.aspx?id=103000||KB5001779|
- At this moment no active exploits using these vulnerabilities are reported.
- These vulnerabilities only concern Exchange 2013/2016/2019 on-premises. Exchange Online is not vulnerable because of its different architecture. Please remember that Exchange Online uses a different codebase.
- Updates are specific for Cumulative Updates, an update for CU9 cannot be installed on CU8. The CU version is in the name of the update.
- Updates are cumulative, so these updates also contain all previous updates for this CU versions.
- If you are running Exchange hybrid you need to update the hybrid servers as well, even when all mailboxes are in Exchange Online.
- Previous mitigation scripts like EOMT will not mitigate the April 2021 vulnerabilities.
- Start the updates from a command prompt with elevated privileges. If you do not, the update can finish successfully (or report no errors) but under the hood stuff will break. When updating from Windows Update there’s no need to use elevated privileges.
- Use the Exchange Server Health Checker script (available from Microsoft Github) for an inventory of your Exchange environment. The script will return if any servers are behind with Cumulative Updates and Security Updates.
- More information can be found on the Microsoft Security Response Center (MSRC).