Update July 20th: Added VC++2012 requirement to tip on running MT to prepare Exchange 2013 schema separately.
Another month, another Patch Tuesday! A quick blog on the July’s security updates for Exchange Server 2013 up to 2019.
The vulnerabilities addressed in these security updates are:
| Vulnerability | Category | Severity | Rating |
|---|---|---|---|
| CVE-2021-31196 | Remote Code Execution | Important | CVSS:3.0 7.2 / 6.3 |
| CVE-2021-34470 | Elevation of Privilege | Important | CVSS:3.0 8.0 / 7.0 |
| CVE-2021-33768 | Elevation of Privilege | Important | CVSS:3.0 8.0 / 7.0 |
| CVE-2021-31206 | Remote Code Execution | Important | CVSS:3.0 7.6 / 7.1 |
Note:
- When looking at the MSRC information, you will notice 3 additional CVE issues addressed for July 13th. However, as far as I can see CVE-2021-34473, CVE-2021-34523 and CVE-2021-33766 were addressed in the April 2021 and eventually the May 2021 Security Updates, which also would explain MSRC’s mention of earlier CUs, such as Exchange 2019 CU8.
- CVE-2021-31206 was the vulnerability discovered at the Pwn2Own 2021 contest.
Vulnerabilities mentioned in the table above are addressed in the following security updates:
| Exchange | Download | Build | KB | Supersedes |
|---|---|---|---|---|
| Exchange 2019 CU10 | Download | 15.2.922.13 | KB5004780 | |
| Exchange 2019 CU9 | Download | 15.2.858.15 | KB5004780 | |
| Exchange 2016 CU21 | Download | 15.1.2308.14 | KB5004779 | |
| Exchange 2016 CU20 | Download | 15.1.2242.12 | KB5004779 | |
| Exchange 2013 CU23 | Download | 15.0.1497.23 | KB5004778 |
Notes:
- CVE-2021-33768 does not seem applicable to Exchange 2019 CU9 or Exchange 2016 CU20.
- CVE-2021-34470 is only addressed in the security update for Exchange 2013 CU23.
More detailed information can be found at the original blog post here, which mentions some specific post-deployment instructions:
- When running n-1 CU of Exchange 2019 (CU9) or Exchange 2016 (CU20), and you do not plan to upgrade to the latest CU yet but do wish to install this Security Update, you must also update the AD Schema using the CU10 or CU21 installation files.
- When you are running Exchange 2013 CU23 in your organization, and no later Exchange builds are present, you need to deploy a schema update immediately after deploying the Security Update. After deploying the SU, from an elevated CMD prompt, run Setup.exe /PrepareSchema /IAcceptExchangeServerLicenseTerms from Exchange’s bin folder. You you need to separate the update from deploying the update, see end of article for a tip.
The blog also mentions some issues, which are identical to the ones mentioned with the May 2021 Security Updates:
- Accounts ending in ‘$’ cannot use EMS or access the ECP.
- Cross-forest Free/Busy might stop working resulting in 400 Bad Request (solution).
- Running cmdlets against EMC using invoked runspace might result in no-language mode error (info).
Be advised that these security updates are Cumulative Update level specific. You cannot apply the update for Exchange 2019 CU9 to Exchange 2019 CU8. Also, the security update download has the same name for different Cumulative Updates, and I would suggest tagging the file name with the CU level, e.g. Exchange2019-CU9-KBXXXXXX-x64-en.msp.
On another note, after deploying the security updates Exchange will start reporting its version number in the HTTP response header.
As a reminder, run the Security Update from an elevated command prompt to prevent issues during installation. In other words: Do not just double-click on the .MSP file. And on a final note, as with any patch or update, I’d recommend to apply this in a acceptance environment first, prior to implementing it in production. However, it is not recommended to wait for regular maintenance cycles when it concerns security updates, and follow a more agile approach. The rating implies a form of urgency.
OWA/ECP and HMAC errors
There are reports of the Security Update breaking OWA/ECP. Symptoms are browsers displaying an HMAC error:
Server Error in '/owa' Application.
ASSERT: HMACProvider.GetCertificates:protectionCertificates.Length<1
Description: An unhandled exception occurred during the execution of the current web request. Please review the stack trace for more information about the error and where it originated in the code.
Exception Details: Microsoft.Exchange.Diagnostics.ExAssertException: ASSERT: HMACProvider.GetCertificates:protectionCertificates.Length<1
It is likely related to “Microsoft Exchange Server Auth Certificate”, which can be expired, invalid or for other reasons not being picked up. The reported solution is renewing the “Microsoft Exchange Server Auth Certificate”. This procedure can be found here. Do note that it may take an hour for the certificate to become effective. Meanwhile, you can check the comments in the original Exchange Team post, which is lively with feedback and responses.
Exchange 2013 CU23 SU & Schema Updating
Because with Exchange 2013 CU23 schema preparation needs to occur immediately after deploying the SU on (the first) Exchange 2013 CU23 server, a tip might be that you could deploy Exchange 2013 CU23 Management Tools on a workstation, install the SU on that workstation, then run the PrepareSchema from there before deploying the SU on any Exchange 2013 CU23 server.
This might also be helpful in multi-domain organizations, or organizations where AD and Exchange are managed by different teams or require separate changes. Note that performing the schema update this way requires Visual C++ 2012 Runtime, otherwise you will run into a “Exchange Server setup didn’t complete the operation” and the ExchangeSetup.log will contain “Could not load file or assembly ‘Microsoft.Exchange.CabUtility.dll”.
