On December 8, 2020 Microsoft released a number of security updates for Exchange server. Despite the fact that Exchange 2010 is out of support at all, an important security update for Exchange 2010 was released as well.
Last September Microsoft released their quarterly Cumulative Updates for Exchange, Exchange 2016 CU18 and Exchange 2019 CU7. This was quickly followed by a security update, KB4581424 that addresses the CVE-2020-16969 Microsoft Exchange Information Disclosure vulnerability.
Unfortunately, the Exchange 2016 CU18 and Exchange 2019 CU7 contain a nasty bug. If you use OWA, open a shared mailbox and try to access an attachment, OWA redirects to Office 365 instead of the on-premises Exchange 2016/2019 server to download it. This happens in an hybrid environment, but also in a pure on-premises Exchange deployment without any Office 365 connection.
Microsoft is aware of this issue and it will be fixed in the next Cumulative Updates for Exchange 2016 and Exchange 2019. Looking at the quarterly cadence this should be by the end of this year.
If you have a Microsoft Premier support contract and this is an issue that impacts your business you can open a support ticket and request a fix for this. This service is available for Premier support customers only.
This fix is a replacement for the KB4581424 security update, as such it contains all the fixes in KB4581424, plus the OWA Attachment hotfix. If you are a Premier support customer and do have this fix available, make sure that you uninstall the KB4581424 first before installing this update. One workaround that I’ve seen in a newsgroup is not to open the Shared Mailbox as “Open another mailbox” but as “Add shared folder”. This should work also, but I have not tested it. I do have a customer with a Premier support contract, I can confirm the problem is fixed in the interim update.
An information disclosure vulnerability exists in how Microsoft Exchange validates tokens when handling certain messages. An attacker who successfully exploited the vulnerability could use this to gain further information from a user.
To exploit the vulnerability, an attacker could include specially crafted OWA messages that could be loaded, without warning or filtering, from the attacker-controlled URL. This callback vector provides an information disclosure tactic used in web beacons and other types of tracking systems.
The security update corrects the way that Exchange handles these token validations.
Please be aware that the updates are CU specific. The fact that an update for Exchange 2013 is released indicates the importance of this Security Update.
When installing, start the Security Update from an elevated command prompt (Run As Administrator) and as always, test the security update thoroughly.
Microsoft Exchange Server 2013 Cumulative Update 23
On September 15 Microsoft released two updates for their on-premises Exchange servers:
Exchange 2019 Cumulative Update 7
Exchange 2016 Cumulative Update 18
Note. This is the second-last Cumulative Update for Exchange 2016! As Microsoft has announced earlier, Exchange 2016 will be out of mainstream support this October. The last Cumulative Update is expected in December 2020.
Both updates contain security and nonsecurity updates, the recently released security update for Exchange 2016 and Exchange 2019 that addresses the CVE-2020-16875 vulnerability is also included in these CU’s.
Both updates also contain the latest Daylight Saving Time (DST) Updates.
In earlier posts it was mentioned that no changes in Active Directory are introduced, so there was no need to run Setup with the /PrepareAD and /PrepareDomain option. However, when you check the Microsoft documentation you’ll notice that AD and Domain versions are increased, so this time there is a need to run /PrepareAD and /PrepareDomain. If you run the /PrepareAD, make sure you have sufficient permission to execute this command (member of the Enterprise Admins Security Group).
The same is true when upgrading for Exchange 2016. you must run Setup.exe /PrepareSchema, Setup.exe /PrepareAD or Setup.exe /PrepareDomain.
Autodiscover EventID 1 can occur after installing Exchange 2019 CU3 or after installing Exchange 2016 CU14. I’ve blogged about this before on EventID 1 MSExchange Autodiscover. I am not sure if this still is the case 😉.
Exchange 2019 CU7 is only available on the Volume License Service Center (VLSC)
On December 17, 2019 Microsoft has released its quarterly updates for Exchange Server:
Exchange 2016 CU15.
Exchange 2019 CU4 (only available via Volume License).
There are a couple of things that are worth noting:
Both Exchange server versions need the .NET Framework 4.8. If you are running an older version of Exchange (much older) consult Michel de Rooij’s blogpost Upgrade Paths for CU’s and .NET.
If you are running an Exchange Hybrid version there’s the n-1 policy. This means your on-premises versions of Exchange should be Exchange 2016 CU14 or Exchange 2019 CU3 at minimum.
There’s an update on the Exchange calculator which is now version 10.3.
There are no schema changes compared to the previous version so there’s no need to run Setup.exe /PrepareSchema. I always recommend running Setup.exe /PrepareAD to make sure any additional features or changes like (for example) RBAC are applied correctly.
So now real new features which is in line with Microsoft’s strategy. If you need the latest and greatest then Exchange Online is the way to go. If you need a stable on-premises environment you’re good with Exchange 2016 or Exchange 2019.