Security Update Exchange 2010-2019 (Mar2021)

Update 16Mar2021: Added One-Click tool reference.

Another month, another set of security updates for Exchange Server 2016 and 2019, including out-of-band updates for Exchange 2013 CU23 and Exchange 2010 SP3 (Rollup 32). Given the risk of this vulnerability, security updates for older out-of-support CUs (Ex2016 CU8 was released December 2017) were also made available. According to the related Exchange team blog, these exploits are seen being used as part of an attack chain. After publication of this vulnerability named Hafnium, proof of concept kits were published after which variations started to appear (e.g. DearCry). Needless to say, the security update is critical and deployment should not be postponed – intermediate mitigations (with consequences) are also available.

These fixes address the following Remote Code Execution vulnerabilities:

The exploit can be fixed by security update, or in case of Exchange 2010 SP3 by applying a Rollup, which you can find in the table below per current Exchange version. Microsoft published security updates for older CUs as well on March 8th; these have been added to the table below.

Exchange BuildDownloadBuildArticleSupersedes
Exchange 2019 CU8Download15.2.792.10KB5000871KB4602269
Exchange 2019 CU7Download15.2.721.13KB5000871KB4602269
Exchange 2016 CU19Download15.1.2176.9KB5000871KB4602269
Exchange 2016 CU18Download15.1.2106.13KB5000871KB4602269
Exchange 2013 CU23Download15.0.1497.12KB5000871KB4593466
Exchange 2010 SP3 RU32Download14.3.513.0KB5000978
Exchange 2019 CU6Download15.2.659.12KB5000871
Exchange 2019 CU5Download15.2.595.8KB5000871
Exchange 2019 CU4Download15.2.529.13KB5000871
Exchange 2019 CU3Download15.2.464.15KB5000871
Exchange 2019 CU2Download15.2.397.11KB5000871
Exchange 2019 CU1Download15.2.330.11KB5000871
Exchange 2019 RTMDownload15.2.221.18KB5000871
Exchange 2016 CU17Download15.1.2044.13KB5000871
Exchange 2016 CU16Download15.1.1979.8KB5000871
Exchange 2016 CU15Download15.1.1913.12KB5000871
Exchange 2016 CU14Download15.1.1847.12KB5000871
Exchange 2016 CU13Download15.1.1779.8KB5000871
Exchange 2016 CU12Download15.1.1713.10KB5000871
Exchange 2016 CU11Download15.1.1591.18KB5000871
Exchange 2016 CU10Download15.1.1531.12KB5000871
Exchange 2016 CU9Download15.1.1466.16KB5000871
Exchange 2016 CU8Download15.1.1415.10KB5000871
Exchange 2013 CU22Download15.0.1473.6KB5000871
Exchange 2013 CU21Download15.0.1395.12KB5000871

Notes:

  • You may not be prompted for a reboot, but one is required.
  • When manually installing the update use an elevated command prompt, don’t just double-click the .msp. To apply an .msp from an elevated prompt, e.g. msiexec.exe /p <Full Path to File>.
  • When you need to update to a more current Cumulative Update first, update using an elevated command prompt, e.g. setup.exe /m:upgrade /IAcceptExchangeServerLicenseTerms
  • Per product group feedback, Exchange 2010 is not vulnerable to the same attack chain as Exchange 2013/2016/2019, hence the Rollup mentioning a single CVE.
  • When running product levels earlier than the ones patched, i.e. Exchange 2016 CU17, you are at risk. There are no patches for earlier product levels, so you need to update to a recent CU after which you can install the security update.
  • When installing a recent CU first in order to be able to install the security update, reboot after installing the CU, then install the security update. This prevents issues caused by files being locked or updating files pending replacement during reboot.
  • When you are significantly behind regarding keeping your Exchange servers up to date, the blog Upgrade Paths for CU’s and .NET might help in determining an update strategy.
  • The statement to stay up to date with at most CU n-1 is not some random adage; apart from features and fixes, it also allows you to quickly respond to these type of emergencies.
  • Make sure you have configured proper Anti-Virus/Malware exclusions for Exchange server, as documented here for Exchange 2016/2019. I’ve seen significant delays or even hangs during setup of Cumulative Updates because of paths and processes not being excluded. When running Exchange virtually, any I/O inspection running on top of your hypervisor is also considered anti-virus/malware software, such as Trend Micro Deep Inspection on VMWare.
  • When deploying CU(n) on top of CU(n-1) when an interim update already has been installed, it is recommended to uninstall the IU prior to deploying CU(n). While it might go through, an abort is likely with mention of detecting an IU (INTERIMUPDATEDETECTED) in Exchange Setup log.
  • Security Updates are Cumulative Update level specific. You cannot apply the update for Exchange 2016 CU18 to Exchange 2016 CU19. Note that the security update file has the same name for different Cumulative Updates; I would suggest tagging the file name with the CU level, e.g. Exchange2016-CU18-KB5000871-x64-en.msp.
  • The publication of security updates for some older CUs does not remove the necessity to update and patch with current CUs.

Indicators & Action
You may want to look for signs that your Exchange server might have been compromised (Indicators of Compromise or IOC). The article HAFNIUM targeting Exchange Servers with 0-day exploits explains this process. A tool is available to assist in scanning systems for indicators, the Microsoft Support Emergency Response Tool (MSERT).

There is also official communication to support this update, including steps to remediate issues with updates and steps to perform analysis (many people overlook the recommendation to run the update elevated for some reason). This deck can be found here: March 2021 Exchange Server Security Update – v1.2.65 – EN.pdf (thanks Chris Lehr).

Mitigations
I would also recommend the official follow-up post, which not only has been updated since the original post, but also includes mitigations for organizations which cannot deploy the update yet:

  • A script to configure IIS rewrite rules to block cookies used in the attack (mitigates CVE-2021-26855).
  • Disabling UM Services (mitigates CVE-2021-26857).
  • Disabling ECP application pool (mitigates CVE-2021-27065).
  • Disabling OAB application pool (addresses CVE-2021-26858).

Needless to say, steps like disabling ECP or OAB impacts client functionality.

MS published a One-Click Microsoft Exchange On-Premises Mitigation Tool for simplified one-click implementation of mitigation measures on Exchange 2013-2019.

Finally
Since some people are discovering artifacts of HAFNIUM dating before Microsoft’s official communication, people have been wondering how long this has been going on. For those interested, Krebson Security has published an article with a concise timeline of the events related to this attack.

43 thoughts on “Security Update Exchange 2010-2019 (Mar2021)

  1. We have 2016 Cu17 in hybrid so need to upgrade to 19 and apply this?

    Edition : Coexistence

    AdminDisplayVersion : Version 15.1 (Build 2044.4)

    Like

    • When running earlier product builds, you are at risk. Hence why it is recommended to stay current (n-1 at most). The Ex2010/2013 updates are courtesy of Microsoft to offer customers running old versions (e.g. migrating) protection.

      Like

      • Thanks, Michel,

        We have only one server and running the SMTP relay and Management purposes ( Hybrid) only.
        No port 443 open to this server. What is the best way to update to U19?

        Like

  2. Exchange 2013, CU 23.

    Make sure to properly stop the IIS yourself, otherwise the KB wont be able to update certain FrontEnd Files.

    Like

  3. Hi! Thank you for the information and your great blog! Do you have an official link to information about Exchange 2010 (Exchange 2010 is not vulnerable to the same attack chain)? It will help for my customers using 2010.

    Like

  4. Hi! I am not able to run the updated patch it is showing this error
    The upgrade patch cannot be installed because the program to be upgrade may be missing or the upgrade patch maybe update as a different version.

    Like

  5. Hi Trying to install patch in Ex2016CU19, It runs for a while but eventually fails when trying to create images (sorry didn’t catch the exact .dll). Any insight would be appreciated.

    Like

  6. This will not install. Running CU23, with UAC disabled it just refuses to install. In the MSI logs l have
    Unable to install because a previous Interim Update for Microsoft Exchange Server 2013 Cumulative Update 23 has been installed. Please use Add/Remove Programs to uninstall the Interim Update before running this setup again.
    Anyone know if you need to remove the previous security update KB4536988? I haven’t on a number of servers l have already updated

    Like

    • Deploying CU(n) on top of CU(n-1) with an interim update is always recommended to uninstall the IU prior to deploying CU(n). Depending on the files updates, it might go through without performing this step, but indeed you might encounter INTERIMUPDATEDETECTED in your logs when the CU sees different versions of files than expected (which usually is the previous one or the one shipping with itself).

      Like

  7. Does installing KB5000871 also take care of KB4602269, which are both Security Updates of CU18/19? I couldn’t find anything about if Security Updates were cumulative between CUs.

    Thanks!

    Like

  8. I tried to install the patch on exchange 2013 CU23, it ran up to 60% and then failed due to some exchange service error and keep asking for retry. I ran the setup through an elevated command prompt as an Administrator. But it still showed the error. After cancelling the wizard all services in Services.msc was disabled. and I have to manually enabled them one by one.

    Like

  9. I updated two Exchange 2016CU19 servers. One of them was updated normally, another was updated when IIS was stopped only. There were failed web access after update on both. I fixed it: run the Exchange PowerShell as admin, input UpdateCas.ps1 and run, then input UpdateConfigFiles.ps1 and run, and then do iisreset in the comand prompt.

    Like

  10. Have successfully installed the Security patch on our 2 Mailbox servers. But on the 2 Cas n Hub servers it fails prematurely. Have tried almost everything. Fails prematurely every time. Pls help.

    Like

  11. KB5000871 failed, due to not being able to write 2 dlls.

    Subsequent attempts to rerun (using various techniques covered in posts regarding issue installing this patch), all return:
    Setup wizard for Security Update for Exchange Server 2012 Cumulative Update 23 (KB5000871) ended prematurely because of an error. Your system has not been modified. To install this program at a later time, please run the installation again.

    Despite saying not modified, I can’t get all services to start.
    Particularly Microsoft Exchange Transport service. It start sand then stops again.
    I’m looking for tips on where I can find what is failing an where it may be logging.

    Like

  12. I attempted to install KB5000871 on Exchange 2013 CU23, but it failed., complaining that it couldn’t write 2 dlls.
    I then followed various suggestions about running from an elevated command prompt, including running msiexec and specfiying the patch msp file.

    Any subsequent attempts get to the point where the tool states “Stopping services” and then reports that the Setup wizard ended prematurely because of an error and says the system has not been modified. Yet Exchange won’t start now.

    What log files should I investigate for more information? I have tried stopping all MsExchange services before running the patch but no difference.

    Like

    • To ask the obvious, you have no AV running blocking access or excluded those paths from AV? Seen too many times customers claiming they don’t run AV on their boxes, then after failed updates someone casually mentioning they have Deep Inspection (eg Trend Micro) running against their VMWare environment in default configuration, thus interfering with the process.

      Like

      • Yes I do have AVG running on that server.

        In any case, after restoring back to pre CU23 copy, I installed CU23 again (although Exchange reported as already being 15.0.1497.2, the SU said it wasn’t)
        The I ran KB5000871 from an elevated command prompt and it completed successfully. I didn’t do anything to bypass AV, the key was as stated by many, running the SU with admin credentials.

        Like

  13. Hi Michel, when I try to get up to date and install CU I get error: upgrade the discovery mailboxes to R5 version, this will fix the RecipientDisplayType property of the discovery mailbox which was wrong in R4. I have checked permissions, database etc and recreated Discovery search to no avail. How can I diagnose this more?

    Like

  14. Michel, the whole error message is here:
    Error:
    The following error was generated when “$error.Clear();
    if (($RoleIsDatacenter -ne $true) -and ($RoleIsDatacenterDedicated -ne $true))
    {
    if (test-ExchangeServersWriteAccess -DomainController $RoleDomainController -ErrorAction SilentlyContinue)
    {
    # upgrade the discovery mailboxes to R5 version, this will fix the RecipientDisplayType property of the discovery mailbox which was wrong in R4.
    get-mailbox -RecipientTypeDetails DiscoveryMailbox -DomainController $RoleDomainController | where {$_.IsValid -eq $false} | set-mailbox -DomainController $RoleDomainController
    $name = [Microsoft.Exchange.Management.RecipientTasks.EnableMailbox]::DiscoveryMailboxUniqueName;
    $dispname = [Microsoft.Exchange.Management.RecipientTasks.EnableMailbox]::DiscoveryMailboxDisplayName;
    $mbxs = @( get-mailbox -Filter {name -eq $name} -IgnoreDefaultScope -resultSize 1 );
    if ( $mbxs.length -eq 0)
    {
    $dbs = @(get-MailboxDatabase -Server:$RoleFqdnOrName -DomainController $RoleDomainController);
    if($dbs.Length -ne 0)
    {
    $mbxUser = @(get-user -Filter {name -eq $name} -IgnoreDefaultScope -ResultSize 1);
    if ($mbxUser.Length -ne 0)
    {
    enable-mailbox -Discovery -identity $mbxUser[0] -DisplayName $dispname -database $dbs[0].Identity;
    }
    }
    }
    }
    else
    {
    write-exchangesetuplog -info “Skipping creating Discovery Search Mailbox because of insufficient permission.”
    }
    }
    ” was run: “Microsoft.Exchange.Data.DataValidationException: Database is mandatory on UserMailbox.”.

    Error:
    The following error was generated when “$error.Clear();
    if (($RoleIsDatacenter -ne $true) -and ($RoleIsDatacenterDedicated -ne $true))
    {
    if (test-ExchangeServersWriteAccess -DomainController $RoleDomainController -ErrorAction SilentlyContinue)
    {
    # upgrade the discovery mailboxes to R5 version, this will fix the RecipientDisplayType property of the discovery mailbox which was wrong in R4.
    get-mailbox -RecipientTypeDetails DiscoveryMailbox -DomainController $RoleDomainController | where {$_.IsValid -eq $false} | set-mailbox -DomainController $RoleDomainController
    $name = [Microsoft.Exchange.Management.RecipientTasks.EnableMailbox]::DiscoveryMailboxUniqueName;
    $dispname = [Microsoft.Exchange.Management.RecipientTasks.EnableMailbox]::DiscoveryMailboxDisplayName;
    $mbxs = @( get-mailbox -Filter {name -eq $name} -IgnoreDefaultScope -resultSize 1 );
    if ( $mbxs.length -eq 0)
    {
    $dbs = @(get-MailboxDatabase -Server:$RoleFqdnOrName -DomainController $RoleDomainController);
    if($dbs.Length -ne 0)
    {
    $mbxUser = @(get-user -Filter {name -eq $name} -IgnoreDefaultScope -ResultSize 1);
    if ($mbxUser.Length -ne 0)
    {
    enable-mailbox -Discovery -identity $mbxUser[0] -DisplayName $dispname -database $dbs[0].Identity;
    }
    }
    }
    }
    else
    {
    write-exchangesetuplog -info “Skipping creating Discovery Search Mailbox because of insufficient permission.”
    }
    }
    ” was run: “Microsoft.Exchange.Data.DataValidationException: Database is mandatory on UserMailbox.
    at Microsoft.Exchange.Configuration.Tasks.Task.ThrowError(Exception exception, ErrorCategory errorCategory, Object target, String helpUrl)
    at Microsoft.Exchange.Configuration.Tasks.Task.WriteError(Exception exception, ErrorCategory category, Object target, Boolean reThrow)
    at Microsoft.Exchange.Configuration.Tasks.DataAccessTask`1.Validate(TDataObject dataObject)
    at Microsoft.Exchange.Configuration.Tasks.SetTaskBase`1.InternalValidate()
    at Microsoft.Exchange.Configuration.Tasks.SetRecipientObjectTask`3.InternalValidate()
    at Microsoft.Exchange.Management.Common.SetMailEnabledRecipientObjectTask`3.InternalValidate()
    at Microsoft.Exchange.Management.RecipientTasks.SetUserBase`3.InternalValidate()
    at Microsoft.Exchange.Management.RecipientTasks.SetMailboxBase`3.InternalValidate()
    at Microsoft.Exchange.Management.RecipientTasks.SetMailbox.InternalValidate()
    at Microsoft.Exchange.Configuration.Tasks.Task.b__91_1()
    at Microsoft.Exchange.Configuration.Tasks.Task.InvokeRetryableFunc(String funcName, Action func, Boolean terminatePipelineIfFailed)”.

    Like

  15. Hi Michel, Security Update For Exchange Server 2016 Cumulative Update 12 (KB5000871) was install through windows update and afterwards my exchange never worked. I tried running CMD as Administrator, then installed the update using CMD (as Administrator) but Still failed. Please assist

    Like

  16. I’m unable to manually install patches for Exchange 2019: CU4,5,6,7,8,10,11,16,17,18,21,23 since I always got “the upgrade patch cannot be installed by the windows installer service…” does not matter if I double click or I start with msiexec from Elevated Command prompt of Power Shell.

    I have absolute no any idea how to manually install it otherwise. I triple check the prerequisite and have to install .Net 4.8, Visual Scripts 2012 and 2013 …
    Please advice how to overcome the windows with red cross telling “the upgrade patch cannot be installed by the windows installer service”

    Like

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.