A quick blog on security updates for Exchange Server 2013, 2016 and 2019 released October 13th. These fixes address the following vulnerability:
- CVE-2020-16969: Microsoft Exchange Information Disclosure Vulnerability
An information disclosure vulnerability exists in how Microsoft Exchange validates tokens when handling certain messages. An attacker who successfully exploited the vulnerability could use this to gain further information from a user.
To exploit the vulnerability, an attacker could include specially crafted OWA messages that could be loaded, without warning or filtering, from the attacker-controlled URL. This callback vector provides an information disclosure tactic used in web beacons and other types of tracking systems.
The security update corrects the way that Exchange handles these token validations.
The exploits can be fixed by single security update, which you can find in the table below per current Exchange version.
|Exchange 2019 CU7||Download||15.2.721.3||KB4581424||KB4577352|
|Exchange 2019 CU6||Download||15.2.659.7||KB4581424||KB4577352|
|Exchange 2016 CU18||Download||15.1.2106.3||KB4581424||KB4577352|
|Exchange 2016 CU17||Download||15.1.2044.7||KB4581424||KB4577352|
|Exchange 2013 CU23||Download||15.0.1497.7||KB4581424||KB4536988|
Be advised that these security updates are Cumulative Update level specific. You cannot apply the update for Exchange 2016 CU17 to Exchange 2016 CU16. Also, the security update download has the same name for different Cumulative Updates, and I would suggest tagging the file name with the CU level, e.g. Exchange2016-CU17-KB4581424-x64-en.msp.
Also, run the Security Update from an elevated command prompt, to prevent issues during installation. And on a final note, as with any patch or update, I’d recommend to apply this in a acceptance environment first, prior to implementing it in production.