Tag Archives: Security Updates

May 2021 Exchange Server security updates

On May 11, 2021 Microsoft released new Security Updates for the following Exchange server versions:

  • Exchange Server 2013 CU23
  • Exchange Server 2016 CU19 and CU20
  • Exchange Server 2019 CU8 and CU9

The following vulnerabilities have been addressed:

VulnerabilityCategorySeverity
CVE-2021-31209SpoofingImportant
CVE-2021-31207Security Feature BypassModerate
CVE-2021-31198Remote Code Execution Important
CVE-2021-31195 Remote Code Execution Important

Personally, I am happy to see no critical and zero-day issues have been found, no immediate action on Tuesday night this time 😊. However, these are still important security updates so you must install them as soon as possible.

These Security Updates are only available for the Exchange versions mentioned above. If you are on an older version of Exchange, you must first upgrade your Exchange servers to the latest CU and then deploy these Security Updates. Security Updates are cumulative, to a Security Update contains all previous fixes for this specific Cumulative Update.

A couple of remarks:

  • If you are running Exchange Hybrid, even if you have all your mailboxes in Exchange Online and use the on-premises Exchange server only for management purposes, you still must deploy these Security Updates on the Hybrid Server. If you have an Exchange management server (with only the management tools installed) you do not need to install the Security Updates.
  • Start the Security Update from a command prompt with elevated privileges. If you do not use elevated privileges, setup will fail and leave your Exchange server in an unknown state. Known problems here are with OWA and EAC. This does not apply when installing the Security Update using Windows Update or WSUS.
  • When the installation of the Security Update has finished it does not ask for a reboot although this is needed, so reboot the server when finished.

And the downloads:

April 2021 Exchange Server Security Updates

There we go again…. Last week there has been some rumor going on about pwn2own 2021, some kind of security contest to find any security issues in software products and according to this statement taken from the pwn2own site, vulnerabilities were found in Exchange:

SUCCESS – The DEVCORE team combined an authentication bypass and a local privilege escalation to complete take over the Exchange server. They earn $200,000 and 20 Master of Pwn points.”

Today Microsoft released security updates for Exchange 2013, Exchange 2016 and Exchange 2019 that addresses security vulnerability found recently. The following Remote Code Execution vulnerabilities are fixed with these updates:

You can find more information and the download links in the following table.

Exchange versionDownloadKB Article
Exchange 2019 CU9https://www.microsoft.com/en-us/download/details.aspx?id=103004KB5001779
Exchange 2019 CU8https://www.microsoft.com/en-us/download/details.aspx?id=103003 KB5001779
Exchange 2016 CU20https://www.microsoft.com/en-us/download/details.aspx?id=103002 KB5001779
Exchange 2016 CU19https://www.microsoft.com/en-us/download/details.aspx?id=103001 KB5001779
Exchange 2013 CU23https://www.microsoft.com/en-us/download/details.aspx?id=103000 KB5001779

Notes:

  • At this moment no active exploits using these vulnerabilities are reported.
  • These vulnerabilities only concern Exchange 2013/2016/2019 on-premises. Exchange Online is not vulnerable because of its different architecture. Please remember that Exchange Online uses a different codebase.
  • Updates are specific for Cumulative Updates, an update for CU9 cannot be installed on CU8. The CU version is in the name of the update.
  • Updates are cumulative, so these updates also contain all previous updates for this CU versions.
  • If you are running Exchange hybrid you need to update the hybrid servers as well, even when all mailboxes are in Exchange Online.
  • Previous mitigation scripts like EOMT will not mitigate the April 2021 vulnerabilities.
  • Start the updates from a command prompt with elevated privileges. If you do not, the update can finish successfully (or report no errors) but under the hood stuff will break. When updating from Windows Update there’s no need to use elevated privileges.
  • Use the Exchange Server Health Checker script (available from Microsoft Github) for an inventory of your Exchange environment. The script will return if any servers are behind with Cumulative Updates and Security Updates.
  • More information can be found on the Microsoft Security Response Center (MSRC).

Security Updates Exchange Server December 2020

On December 8, 2020 Microsoft released a number of security updates for Exchange server. Despite the fact that Exchange 2010 is out of support at all, an important security update for Exchange 2010 was released as well.

Exchange versionKB ArticleDownload
Exchange 2010 SP3 RU31KB4593467Download
Exchange 2013 CU23KB4593466Download
Exchange 2016 CU17KB4593465Download
Exchange 2016 CU18KB4593465Download
Exchange 2019 CU6KB4593465Download
Exchange 2019 CU7KB4593465Download

Notes:

  • The security updates are specific for each Cumulative Updates.
  • The upcoming CU’s for Exchange 2016 and Exchange 2019 will contain this security fix.
  • Install the security updates from an elevated command prompt.