Security Recommendation Exchange 2016-2019

A quick blog on an updated security publication for Exchange Server 2016 and 2019. This publication addresses the following vulnerability:

CVE-2021-1730: Microsoft Exchange Server Spoofing Vulnerability

A spoofing vulnerability exists in Microsoft Exchange Server which could result in an attack that would allow a malicious actor to impersonate the user.

As mentioned in the CVE report, this vulnerability can be mitigated in Exchange 2016 and Exchange 2019 by implementing a separate namespace for inline images. These images are served when using Outlook Web Access. Since I never see customers implementing this option, I will repeat these steps below to bring this to your attention.

First, pick a namespace to serve these images from, e.g. img.mail.contoso.com. Create a CNAME for this entry in the DNS, and point it to your OWA namespace, for example img.mail.contoso.com. Add this namespace to your existing SSL certificate (SAN) unless you are using a wildcard certificate and the chosen namespace is covered by it.

Next, configure the InternalDownloadHostName and ExternalDownloadHostName properties from OWAVirtualDirectory configuration, e.g.

Get-OwaVirtualDirectory | Set-OwaVirtualDirectory -ExternalDownloadHostName img.mail.contoso.com -InternalDownloadHostName img.mail.contoso.com

Configure the Exchange organization to use download domains:

Set-OrganizationConfig -EnableDownloadDomains $true

Finally, restart IIS or recycle the OWA application pool using Restart-WebAppPool MSExchangeOWAAppPool.

8 thoughts on “Security Recommendation Exchange 2016-2019

    • Wording in these documents can puzzling. it states vulnerability CVE-2021-1730 has been addressed in KB4571787/8, i.e. 2019CU7 & 2016CU18 (and later). Per these CUs, the EnableDownloadDomains feature was added, which is a recommendation, making it complementary and limiting for future spoofing issues this area.

      Like

  1. Thanks for addressing this as there is very little content out there about it. I didnt even notice I needed it until I ran the HealthChecker PowerShell script. At the very end the output reads as follows:

    Download Domains Enabled: False; Download Domains are not configured. You should configure them to be protected against CVE-2021-1730. Configuration instructions: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-1730

    I’m still quite confused about why this is needed. Is there a way to test for the exploit (in other words, test that the issue has not been mitigated?)?

    Like

  2. Intern everything works. Extern I got error code 404 if i use Subdomain with CNAME. If I use Subdomain, A-Entry, DMZ, Reverse Proxy I got error 302. Pictures are not shown in OWA. Any idea?

    Like

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.