Update 16Mar2021: Added One-Click tool reference.
Another month, another set of security updates for Exchange Server 2016 and 2019, including out-of-band updates for Exchange 2013 CU23 and Exchange 2010 SP3 (Rollup 32). Given the risk of this vulnerability, security updates for older out-of-support CUs (Ex2016 CU8 was released December 2017) were also made available. According to the related Exchange team blog, these exploits are seen being used as part of an attack chain. After publication of this vulnerability named Hafnium, proof of concept kits were published after which variations started to appear (e.g. DearCry). Needless to say, the security update is critical and deployment should not be postponed – intermediate mitigations (with consequences) are also available.
These fixes address the following Remote Code Execution vulnerabilities:
- Exchange 2013/2016/2019
- Exchange 2010/2013/2016/2019
The exploit can be fixed by security update, or in case of Exchange 2010 SP3 by applying a Rollup, which you can find in the table below per current Exchange version. Microsoft published security updates for older CUs as well on March 8th; these have been added to the table below.
Exchange Build | Download | Build | Article | Supersedes |
Exchange 2019 CU8 | Download | 15.2.792.10 | KB5000871 | KB4602269 |
Exchange 2019 CU7 | Download | 15.2.721.13 | KB5000871 | KB4602269 |
Exchange 2016 CU19 | Download | 15.1.2176.9 | KB5000871 | KB4602269 |
Exchange 2016 CU18 | Download | 15.1.2106.13 | KB5000871 | KB4602269 |
Exchange 2013 CU23 | Download | 15.0.1497.12 | KB5000871 | KB4593466 |
Exchange 2010 SP3 RU32 | Download | 14.3.513.0 | KB5000978 | |
Exchange 2019 CU6 | Download | 15.2.659.12 | KB5000871 | |
Exchange 2019 CU5 | Download | 15.2.595.8 | KB5000871 | |
Exchange 2019 CU4 | Download | 15.2.529.13 | KB5000871 | |
Exchange 2019 CU3 | Download | 15.2.464.15 | KB5000871 | |
Exchange 2019 CU2 | Download | 15.2.397.11 | KB5000871 | |
Exchange 2019 CU1 | Download | 15.2.330.11 | KB5000871 | |
Exchange 2019 RTM | Download | 15.2.221.18 | KB5000871 | |
Exchange 2016 CU17 | Download | 15.1.2044.13 | KB5000871 | |
Exchange 2016 CU16 | Download | 15.1.1979.8 | KB5000871 | |
Exchange 2016 CU15 | Download | 15.1.1913.12 | KB5000871 | |
Exchange 2016 CU14 | Download | 15.1.1847.12 | KB5000871 | |
Exchange 2016 CU13 | Download | 15.1.1779.8 | KB5000871 | |
Exchange 2016 CU12 | Download | 15.1.1713.10 | KB5000871 | |
Exchange 2016 CU11 | Download | 15.1.1591.18 | KB5000871 | |
Exchange 2016 CU10 | Download | 15.1.1531.12 | KB5000871 | |
Exchange 2016 CU9 | Download | 15.1.1466.16 | KB5000871 | |
Exchange 2016 CU8 | Download | 15.1.1415.10 | KB5000871 | |
Exchange 2013 CU22 | Download | 15.0.1473.6 | KB5000871 | |
Exchange 2013 CU21 | Download | 15.0.1395.12 | KB5000871 |
Notes:
- You may not be prompted for a reboot, but one is required.
- When manually installing the update use an elevated command prompt, don’t just double-click the .msp. To apply an .msp from an elevated prompt, e.g.
msiexec.exe /p <Full Path to File>
. - When you need to update to a more current Cumulative Update first, update using an elevated command prompt, e.g.
setup.exe /m:upgrade /IAcceptExchangeServerLicenseTerms
- Per product group feedback, Exchange 2010 is not vulnerable to the same attack chain as Exchange 2013/2016/2019, hence the Rollup mentioning a single CVE.
- When running product levels earlier than the ones patched, i.e. Exchange 2016 CU17, you are at risk. There are no patches for earlier product levels, so you need to update to a recent CU after which you can install the security update.
- When installing a recent CU first in order to be able to install the security update, reboot after installing the CU, then install the security update. This prevents issues caused by files being locked or updating files pending replacement during reboot.
- When you are significantly behind regarding keeping your Exchange servers up to date, the blog Upgrade Paths for CU’s and .NET might help in determining an update strategy.
- The statement to stay up to date with at most CU n-1 is not some random adage; apart from features and fixes, it also allows you to quickly respond to these type of emergencies.
- Make sure you have configured proper Anti-Virus/Malware exclusions for Exchange server, as documented here for Exchange 2016/2019. I’ve seen significant delays or even hangs during setup of Cumulative Updates because of paths and processes not being excluded. When running Exchange virtually, any I/O inspection running on top of your hypervisor is also considered anti-virus/malware software, such as Trend Micro Deep Inspection on VMWare.
- When deploying CU(n) on top of CU(n-1) when an interim update already has been installed, it is recommended to uninstall the IU prior to deploying CU(n). While it might go through, an abort is likely with mention of detecting an IU (INTERIMUPDATEDETECTED) in Exchange Setup log.
- Security Updates are Cumulative Update level specific. You cannot apply the update for Exchange 2016 CU18 to Exchange 2016 CU19. Note that the security update file has the same name for different Cumulative Updates; I would suggest tagging the file name with the CU level, e.g. Exchange2016-CU18-KB5000871-x64-en.msp.
- The publication of security updates for some older CUs does not remove the necessity to update and patch with current CUs.
Indicators & Action
You may want to look for signs that your Exchange server might have been compromised (Indicators of Compromise or IOC). The article HAFNIUM targeting Exchange Servers with 0-day exploits explains this process. A tool is available to assist in scanning systems for indicators, the Microsoft Support Emergency Response Tool (MSERT).
There is also official communication to support this update, including steps to remediate issues with updates and steps to perform analysis (many people overlook the recommendation to run the update elevated for some reason). This deck can be found here: March 2021 Exchange Server Security Update – v1.2.65 – EN.pdf (thanks Chris Lehr).
Mitigations
I would also recommend the official follow-up post, which not only has been updated since the original post, but also includes mitigations for organizations which cannot deploy the update yet:
- A script to configure IIS rewrite rules to block cookies used in the attack (mitigates CVE-2021-26855).
- Disabling UM Services (mitigates CVE-2021-26857).
- Disabling ECP application pool (mitigates CVE-2021-27065).
- Disabling OAB application pool (addresses CVE-2021-26858).
Needless to say, steps like disabling ECP or OAB impacts client functionality.
MS published a One-Click Microsoft Exchange On-Premises Mitigation Tool for simplified one-click implementation of mitigation measures on Exchange 2013-2019.
Finally
Since some people are discovering artifacts of HAFNIUM dating before Microsoft’s official communication, people have been wondering how long this has been going on. For those interested, Krebson Security has published an article with a concise timeline of the events related to this attack.
We have 2016 Cu17 in hybrid so need to upgrade to 19 and apply this?
Edition : Coexistence
AdminDisplayVersion : Version 15.1 (Build 2044.4)
LikeLike
When running earlier product builds, you are at risk. Hence why it is recommended to stay current (n-1 at most). The Ex2010/2013 updates are courtesy of Microsoft to offer customers running old versions (e.g. migrating) protection.
LikeLike
Thanks, Michel,
We have only one server and running the SMTP relay and Management purposes ( Hybrid) only.
No port 443 open to this server. What is the best way to update to U19?
LikeLike
Exchange 2013, CU 23.
Make sure to properly stop the IIS yourself, otherwise the KB wont be able to update certain FrontEnd Files.
LikeLike
Hi! Thank you for the information and your great blog! Do you have an official link to information about Exchange 2010 (Exchange 2010 is not vulnerable to the same attack chain)? It will help for my customers using 2010.
LikeLike
It’s in the comments (look for Nino Bilic) on the official Exchange team’s publication.
LikeLike
Hello,
Hopefully people stay on-premise even after this little hick-up. At least the German government and Datenschutz found out it’s not idea no store anything confidential in the Cloud.
If Microsoft would have been affected I am absolute sure they will not post the breach. Esp. related to larger pharma/biotech who work on Covid vaccines.
Exchange 2010 is also affected. Microsoft releases a free Patch (Your don’t need ESU license). The patch installed well on two larger Deployment with DAG today.
Exchange Server 2010 SP3 Rollup 32
https://support.microsoft.com/en-us/topic/description-of-the-security-update-for-microsoft-exchange-server-2010-service-pack-3-march-2-2021-kb5000978-894f27bf-281e-44f8-b9ba-dad705534459
http://www.butsch.ch/post/03032021-Exchange-2010-2013-2013-2016-2019-Patch-KB5000871-how-to-Update-correct-with-Links.aspx
Greetings from Switzerland
LikeLike
Hi! I am not able to run the updated patch it is showing this error
The upgrade patch cannot be installed because the program to be upgrade may be missing or the upgrade patch maybe update as a different version.
LikeLike
Use the patch that matches your Exchange version and CU build.
LikeLike
I am trying to run this ( exchange2013-kb5000871-x64-en ) for the Exchange server 2013. I am not sure what I miss here
LikeLike
If you are not on 23 install the CU23 first (6.4GB full Update release)
and then the small patch KB5000871afterwards.
Exchange Server 2013 CU23 June 18, 2019 15.0.1497.2 15.00.1497.002
This LINK is only valid if you are already at CU23
https://www.microsoft.com/en-us/download/details.aspx?id=102775 (KB5000871 Download link)
Reminder: Most of the modern ROLLUP for Exchange does a) Saves the config to many XML files b) does a complete uninstall of the d) Re-installs the full exchange with the settings from XML File (Do no interrupt, Wait until it’s done!)
LikeLike
Any chance you installed KB4593466, KB581424 or one of the other interim security updates for Ex2013CU23?
LikeLike
I am running in to the same issue. Did you resolve it? If so how was it resolved? I have the same download exchange2013-kb5000871-x64-en
LikeLike
Just updated my 2013 CU22 to CU23 and then applied the patch, no issues here.
LikeLike
Hi Trying to install patch in Ex2016CU19, It runs for a while but eventually fails when trying to create images (sorry didn’t catch the exact .dll). Any insight would be appreciated.
LikeLike
did you launch from administrator cmd?
LikeLike
We are running Exchange 2016 CU18 Hybrid. I plan to install KB5000871 today and was curious how long it may take, including reboots. Any estimates?
LikeLike
To many variables to say anything.
LikeLike
This will not install. Running CU23, with UAC disabled it just refuses to install. In the MSI logs l have
Unable to install because a previous Interim Update for Microsoft Exchange Server 2013 Cumulative Update 23 has been installed. Please use Add/Remove Programs to uninstall the Interim Update before running this setup again.
Anyone know if you need to remove the previous security update KB4536988? I haven’t on a number of servers l have already updated
LikeLike
Deploying CU(n) on top of CU(n-1) with an interim update is always recommended to uninstall the IU prior to deploying CU(n). Depending on the files updates, it might go through without performing this step, but indeed you might encounter INTERIMUPDATEDETECTED in your logs when the CU sees different versions of files than expected (which usually is the previous one or the one shipping with itself).
LikeLike
Hi Michel, what l meant is we are already running on CU23
LikeLike
Hi Michel, what l meant was that we are currently running on CU23.
LikeLike
Does installing KB5000871 also take care of KB4602269, which are both Security Updates of CU18/19? I couldn’t find anything about if Security Updates were cumulative between CUs.
Thanks!
LikeLike
Sigh, never mind, lol. It’s right at the bottom of the KB Article that it replaces it, apparently I’m just blind.
LikeLike
I tried to install the patch on exchange 2013 CU23, it ran up to 60% and then failed due to some exchange service error and keep asking for retry. I ran the setup through an elevated command prompt as an Administrator. But it still showed the error. After cancelling the wizard all services in Services.msc was disabled. and I have to manually enabled them one by one.
LikeLike
I updated two Exchange 2016CU19 servers. One of them was updated normally, another was updated when IIS was stopped only. There were failed web access after update on both. I fixed it: run the Exchange PowerShell as admin, input UpdateCas.ps1 and run, then input UpdateConfigFiles.ps1 and run, and then do iisreset in the comand prompt.
LikeLike
Have successfully installed the Security patch on our 2 Mailbox servers. But on the 2 Cas n Hub servers it fails prematurely. Have tried almost everything. Fails prematurely every time. Pls help.
LikeLike
Btw, my Exchange is 2013 CU23.
LikeLike
At what step, what is the message, what’s in the Exchange Setup log?
LikeLike
did you install via elevated dos prompt?
LikeLike
KB5000871 failed, due to not being able to write 2 dlls.
Subsequent attempts to rerun (using various techniques covered in posts regarding issue installing this patch), all return:
Setup wizard for Security Update for Exchange Server 2012 Cumulative Update 23 (KB5000871) ended prematurely because of an error. Your system has not been modified. To install this program at a later time, please run the installation again.
Despite saying not modified, I can’t get all services to start.
Particularly Microsoft Exchange Transport service. It start sand then stops again.
I’m looking for tips on where I can find what is failing an where it may be logging.
LikeLike
I attempted to install KB5000871 on Exchange 2013 CU23, but it failed., complaining that it couldn’t write 2 dlls.
I then followed various suggestions about running from an elevated command prompt, including running msiexec and specfiying the patch msp file.
Any subsequent attempts get to the point where the tool states “Stopping services” and then reports that the Setup wizard ended prematurely because of an error and says the system has not been modified. Yet Exchange won’t start now.
What log files should I investigate for more information? I have tried stopping all MsExchange services before running the patch but no difference.
LikeLike
To ask the obvious, you have no AV running blocking access or excluded those paths from AV? Seen too many times customers claiming they don’t run AV on their boxes, then after failed updates someone casually mentioning they have Deep Inspection (eg Trend Micro) running against their VMWare environment in default configuration, thus interfering with the process.
LikeLike
Yes I do have AVG running on that server.
In any case, after restoring back to pre CU23 copy, I installed CU23 again (although Exchange reported as already being 15.0.1497.2, the SU said it wasn’t)
The I ran KB5000871 from an elevated command prompt and it completed successfully. I didn’t do anything to bypass AV, the key was as stated by many, running the SU with admin credentials.
LikeLike
Microsoft just released the March Security Patch for older CU’s
https://techcommunity.microsoft.com/t5/exchange-team-blog/march-2021-exchange-server-security-updates-for-older-cumulative/ba-p/2192020
LikeLike
Hi Michel, when I try to get up to date and install CU I get error: upgrade the discovery mailboxes to R5 version, this will fix the RecipientDisplayType property of the discovery mailbox which was wrong in R4. I have checked permissions, database etc and recreated Discovery search to no avail. How can I diagnose this more?
LikeLike
I’m assuming you are Schema Admin. In your current environment, run Get-Mailbox -Arbitration | FL Identity,ServerName,Database and see if the DiscoverySearchMailbox{D919BA05-46A6-415f-80AD-7E09334BB852} mailbox is homed, or throwing an error (DB is mandatory). When not set, set the HomeMDB attribute using AD tools, or alternatively and when possible it’s perhaps more easier to recreate the Discovery mailbox, see https://docs.microsoft.com/en-us/exchange/security-and-compliance/in-place-ediscovery/delete-and-re-create-default-discovery-mailbox
LikeLike
Hi Michel, thanks for the prompt reply. Yes I am using ac that has schema admin. If I look in AD the DiscoverySearch mailbox is homed. I had seen that doco and I recreated the DiscoverySearch. That seemed to work ok, except when I run Get-Mailbox -Arbitration it does not show the Discovery mailbox. It does show when I run
Get-Mailbox -Resultsize unlimited -Filter {RecipientTypeDetails -eq “DiscoveryMailbox”}. Does that shed some light on my issue?
LikeLike
Michel, the whole error message is here:
Error:
The following error was generated when “$error.Clear();
if (($RoleIsDatacenter -ne $true) -and ($RoleIsDatacenterDedicated -ne $true))
{
if (test-ExchangeServersWriteAccess -DomainController $RoleDomainController -ErrorAction SilentlyContinue)
{
# upgrade the discovery mailboxes to R5 version, this will fix the RecipientDisplayType property of the discovery mailbox which was wrong in R4.
get-mailbox -RecipientTypeDetails DiscoveryMailbox -DomainController $RoleDomainController | where {$_.IsValid -eq $false} | set-mailbox -DomainController $RoleDomainController
$name = [Microsoft.Exchange.Management.RecipientTasks.EnableMailbox]::DiscoveryMailboxUniqueName;
$dispname = [Microsoft.Exchange.Management.RecipientTasks.EnableMailbox]::DiscoveryMailboxDisplayName;
$mbxs = @( get-mailbox -Filter {name -eq $name} -IgnoreDefaultScope -resultSize 1 );
if ( $mbxs.length -eq 0)
{
$dbs = @(get-MailboxDatabase -Server:$RoleFqdnOrName -DomainController $RoleDomainController);
if($dbs.Length -ne 0)
{
$mbxUser = @(get-user -Filter {name -eq $name} -IgnoreDefaultScope -ResultSize 1);
if ($mbxUser.Length -ne 0)
{
enable-mailbox -Discovery -identity $mbxUser[0] -DisplayName $dispname -database $dbs[0].Identity;
}
}
}
}
else
{
write-exchangesetuplog -info “Skipping creating Discovery Search Mailbox because of insufficient permission.”
}
}
” was run: “Microsoft.Exchange.Data.DataValidationException: Database is mandatory on UserMailbox.”.
Error:
The following error was generated when “$error.Clear();
if (($RoleIsDatacenter -ne $true) -and ($RoleIsDatacenterDedicated -ne $true))
{
if (test-ExchangeServersWriteAccess -DomainController $RoleDomainController -ErrorAction SilentlyContinue)
{
# upgrade the discovery mailboxes to R5 version, this will fix the RecipientDisplayType property of the discovery mailbox which was wrong in R4.
get-mailbox -RecipientTypeDetails DiscoveryMailbox -DomainController $RoleDomainController | where {$_.IsValid -eq $false} | set-mailbox -DomainController $RoleDomainController
$name = [Microsoft.Exchange.Management.RecipientTasks.EnableMailbox]::DiscoveryMailboxUniqueName;
$dispname = [Microsoft.Exchange.Management.RecipientTasks.EnableMailbox]::DiscoveryMailboxDisplayName;
$mbxs = @( get-mailbox -Filter {name -eq $name} -IgnoreDefaultScope -resultSize 1 );
if ( $mbxs.length -eq 0)
{
$dbs = @(get-MailboxDatabase -Server:$RoleFqdnOrName -DomainController $RoleDomainController);
if($dbs.Length -ne 0)
{
$mbxUser = @(get-user -Filter {name -eq $name} -IgnoreDefaultScope -ResultSize 1);
if ($mbxUser.Length -ne 0)
{
enable-mailbox -Discovery -identity $mbxUser[0] -DisplayName $dispname -database $dbs[0].Identity;
}
}
}
}
else
{
write-exchangesetuplog -info “Skipping creating Discovery Search Mailbox because of insufficient permission.”
}
}
” was run: “Microsoft.Exchange.Data.DataValidationException: Database is mandatory on UserMailbox.
at Microsoft.Exchange.Configuration.Tasks.Task.ThrowError(Exception exception, ErrorCategory errorCategory, Object target, String helpUrl)
at Microsoft.Exchange.Configuration.Tasks.Task.WriteError(Exception exception, ErrorCategory category, Object target, Boolean reThrow)
at Microsoft.Exchange.Configuration.Tasks.DataAccessTask`1.Validate(TDataObject dataObject)
at Microsoft.Exchange.Configuration.Tasks.SetTaskBase`1.InternalValidate()
at Microsoft.Exchange.Configuration.Tasks.SetRecipientObjectTask`3.InternalValidate()
at Microsoft.Exchange.Management.Common.SetMailEnabledRecipientObjectTask`3.InternalValidate()
at Microsoft.Exchange.Management.RecipientTasks.SetUserBase`3.InternalValidate()
at Microsoft.Exchange.Management.RecipientTasks.SetMailboxBase`3.InternalValidate()
at Microsoft.Exchange.Management.RecipientTasks.SetMailbox.InternalValidate()
at Microsoft.Exchange.Configuration.Tasks.Task.b__91_1()
at Microsoft.Exchange.Configuration.Tasks.Task.InvokeRetryableFunc(String funcName, Action func, Boolean terminatePipelineIfFailed)”.
LikeLike
Hi Michel, Security Update For Exchange Server 2016 Cumulative Update 12 (KB5000871) was install through windows update and afterwards my exchange never worked. I tried running CMD as Administrator, then installed the update using CMD (as Administrator) but Still failed. Please assist
LikeLike
What doesn’t work. Also, why are you still on CU12?
LikeLike
Now, it is only ECP that is not working, we are planning to upgrade in one week time.
LikeLike
I’m unable to manually install patches for Exchange 2019: CU4,5,6,7,8,10,11,16,17,18,21,23 since I always got “the upgrade patch cannot be installed by the windows installer service…” does not matter if I double click or I start with msiexec from Elevated Command prompt of Power Shell.
I have absolute no any idea how to manually install it otherwise. I triple check the prerequisite and have to install .Net 4.8, Visual Scripts 2012 and 2013 …
Please advice how to overcome the windows with red cross telling “the upgrade patch cannot be installed by the windows installer service”
LikeLike
I’ve been trying to find a definitive answer to this. Can you uninstall an Exchange Security update (i.e. KB5003435), or are they like a CU where it will actually uninstall exchange?
LikeLike
You can uninstall those interim security updates.
LikeLike