A quick blog that rather silently, Microsoft published hotfixes for a number of products few days ago, including Exchange Server 2010 up to Exchange Server 2019. These fixes address the following vulnerabilities:
- CVE-2019-1084: Microsoft Exchange Information Disclosure Vulnerability, allowing non-printable characters to be added to Display Names.
- CVE-2019-1136: Microsoft Exchange Server Elevation of Privilege Vulnerability, allowing NTLM MITM elevation permissions or impersonation through Exchange Web Services. This sounds like a variation on the NTLM MITM exploit which was fixed earlier this year with the February update cycle.
- CVE-2019-1137: Microsoft Exchange Server Spoofing Vulnerability, allowing for cross-site scripting (XSS).
The CVE documents contain more details on the vulnerabilities. These exploits can be fixed by single security updates; you can download them here:
|2010 SP3 RU29||X||X||Link||14.3.468.0||4509410|
Be advised that the Security Updates for Exchange 2013-2019 are Cumulative Update level specific. Unfortunately, the security update carries the same name for different CU’s, and you cannot apply the update for Exchange 2016 CU12 to Exchange 2016 CU11. I would suggest tagging the Cumulative Update in the file name when you store it, e.g. Exchange2016-KB4503027-x64-en_CU11.msp.
As with any patch or update, I’d recommend to apply this in a acceptance environment first, prior to implementing it in production.