On August 9, 2022 Microsoft has released important Security Updates for Exchange 2013, Exchange 2016 and Exchange 2019 that are rated ‘critical’ (Elevation of Privileges) and ‘important’ (Information Disclosure).
This security update rollup resolves vulnerabilities found in Microsoft Exchange Server. To learn more about these vulnerabilities, see the following Common Vulnerabilities and Exposures (CVE):
- CVE-2022-21979 – Microsoft Exchange Information Disclosure Vulnerability
- CVE-2022-21980 – Microsoft Exchange Server Elevation of Privilege Vulnerability
- CVE-2022-24477 – Microsoft Exchange Server Elevation of Privilege Vulnerability
- CVE-2022-24516 – Microsoft Exchange Server Elevation of Privilege Vulnerability
- CVE-2022-30134 – Microsoft Exchange Server Elevation of Privilege Vulnerability
This Security Update introduces support for Extended Protection. Extended protection enhances authentication to mitigate ‘man in the middle’ attacks. Extended protection is supported on the latest version of Exchange 2016 and Exchange 2019 (2022H1) and the August 2022 Security Update (this one) so it is vital to bring your Exchange servers up-to-date.
Be aware of the following limitations:
- Extended protection is only supported on the current and previous versions of Exchange (i.e. Exchange 2016 CU21/CU21 and Exchange 2019 CU12/CU11) and Exchange 2013 CU23 with the August 2022 SU installed
- Extended protection is not supported on hybrid servers with the hybrid agent.
- Extended protection is not supported with SSL Offloading. SSL Re-encrypt (also knows as SSL Bridging) is supported, as long as the SSL certificate on the load balancer is identical to the SSL certificate on the Exchange servers.
- If you still have Exchange 2013 in your environment and you are using Public Folders, make sure your Public Folders are hosted on Exchange 2016 or Exchange 2019.
Note. Make sure you have your Exchange server properly configured with all related security settings. Use the latest HealthChecker.ps1 script to find any anomalies in your Exchange configuration. If you fail to do so, the script to enable Extended Protection will fail with numerous error messages.
Enable Extended Protection
First off, make sure you have the latest Cumulative Update installed on all your Exchange servers and install the August 2022 Security Updates on all your servers, including the Exchange 2013 servers.
Another important thing is that you must make sure that TLS settings across all Exchange servers are identical. You can use the healthchecker.ps1 script to figure out if this is the case. Personally, it took me quite some time to get this right.
The easiest way to configure Extended Protection is by using the ExchangeExtendedProtectionManagement.ps1 script (which can be found on github). This script can enable Extended Protection on all Exchange servers in your organization, but by using the -SkipExchangeServerNames option you can exclude certain Exchange servers (for example, Exchange 2013 servers or servers running the hybrid agent). There’s also the -ExchangeServerNames option which lets you specify which servers to enable the Extended Protection on.
More information and downloads can be found here:
|Exchange version||Download||KB article|
|Exchange 2013 CU23||https://www.microsoft.com/en-us/download/details.aspx?id=104482||KB5015321|
|Exchange 2016 CU22||https://www.microsoft.com/en-us/download/details.aspx?id=104481||KB5015322|
|Exchange 2016 2022H1||https://www.microsoft.com/en-us/download/details.aspx?id=104480||KB5015322|
|Exchange 2019 CU11||https://www.microsoft.com/en-us/download/details.aspx?id=104479||KB5015322|
|Exchange 2019 2022H1||https://www.microsoft.com/en-us/download/details.aspx?id=104478||KB5015322|
|Exchange Protection Script||https://aka.ms/ExchangeEPScript|
Some important notes:
- As always, make sure you thoroughly test this in your lab environment, especially enabling Extended protection.
- You can start the SU from a command prompt or from Windows Explorer, no need anymore to start from a command prompt with elevated privileges.
- This SU contains all security updates from previous SUs for this particular Exchange version.