A quick blog on security updates for Exchange Server 2016 and Exchange Server 2019 released September 8th. These fixes address the following vulnerability:
- CVE-2020-16875: Exchange Memory Corruption Vulnerability
A remote code execution vulnerability exists in Microsoft Exchange server due to improper validation of cmdlet arguments. An attacker who successfully exploited the vulnerability could run arbitrary code in the context of the System user. Exploitation of the vulnerability requires an authenticated user in a certain Exchange role to be compromised. The security update addresses the vulnerability by correcting how Microsoft Exchange handles cmdlet arguments.
The exploits can be fixed by single security update, which you can find in the table below per current Exchange version.
|Exchange 2019 CU6||Download||15.2.659.6||KB4577352||KB4540123|
|Exchange 2019 CU5||Download||15.2.595.6||KB4577352||KB4540123|
|Exchange 2016 CU17||Download||15.1.2044.6||KB4577352||KB4540123|
|Exchange 2016 CU16||Download||15.1.1979.6||KB4577352||KB4540123|
Be advised that these security updates are Cumulative Update level specific. You cannot apply the update for Exchange 2016 CU17 to Exchange 2016 CU16. Also, the security update download has the same name for different Cumulative Updates, and I would suggest tagging the file name with the CU level, e.g. Exchange2016-CU17-KB4577352-x64-en.msp.
Also, run the Security Update from an elevated command prompt, to prevent issues during installation. And on a final note, as with any patch or update, I’d recommend to apply this in a acceptance environment first, prior to implementing it in production.