Managed AutoResponder Notifications

Posted on December 13, 2021 by Michel de Rooij

A long overdue blog on a solution which was created per request of an Exchange fellow. The original scenario is an organization spinning off, thereby changing their primary e-mail domain. They wanted to inform relations and partners using the old e-mail addresses of this change. However, this solution might also be helpful to organizations after merger and acquisitions or rebranding.

For the sake of the example, let us suppose Fabrikam was acquired by Contoso. Targeted mailboxes are migrated from the Fabrikam tenant to the Contoso tenant. Fabrikam will contain Mail-Enabled Users forwarding messages to their Contoso mailbox counterparts. The migrated mailboxes now hosted in Contoso will be configured to send notifications to senders which sent mail to the old Fabrikam address.

While organizations can resort to 3rd party tools to set up an Exchange Transport Rule with a generic message, a little script might also do the job, offering a more granular and controlled solution.

Solution
The scripted solution is available on GitHub here. It will configure an Inbox rule on the targeted Exchange mailbox(es), which would be the new/migrated mailbox. The rule will trigger when messages land in the inbox which were sent to a specific e-mail address, i.e. the previous e-mail address. It will send out an automatic response, which can consist of a custom subject, message body with an optional embedded image. The configuration of the response is defined in an customizable external XML file:

<?xml version="1.0" encoding="ISO-8859-1"?>  
<config>
  <rule>Contoso Autoresponder</rule>
  <subject>Please update your email recipient to Contoso</subject>
  <body>Dear Sender,

Thank you for your message. Fabrikam is now a whole Contoso subsidiary, and the fabrikam.com e-mail address will change to contoso.com. Your e-mail was forwarded to my new e-mail address. 

Please update contact information, distribution lists, etc. to update [OldMail] e-mail references with my new [Identity] e-mail address. 
 
[logo] 
The Contoso Corporation is a multinational business with its headquarters in Paris.</body>
  <logo>Contoso.png</logo>
</config>

The elements that can be used in the config are:

<rule> defines the name of the Inbox rule to be created. When the script runs, it will update any existing previously created inbox rules of the same name.
<subject> defines the subject of the response.
<body> defines the message body. You can use the following macros here:
- [OldMail] will get replaced with the original e-mail address.
- [Identity] will get replaced with the new e-mail address.
- [Logo] will get replaced with the embedded image.
Optionally, <logo> refers to the file name of the image to embed.

Requirements
To run the script, you need the following:

Exchange Server 2013 SP1 or later, or Exchange Online.
Exchange Web Services (EWS) Managed API 2.21 or later (how to, NuGet package exchange.webservices.managed.api).
When using modern authentication or OAuth2, the MSAL library is required (NuGet package Microsoft.Identity.Client). Also, you need to have registered an App in Azure Active Directory with sufficient permissions (e.g. full_access_as_app). After registering the app, Tenant ID, Application ID and certificate or secret is what you need to use with the script to run successfully.
In addition to installing the NuGet packages, you can also store their DLLs in the same folder as the script for portability.

Usage
The syntax to run the script is as follows:

.\Set-AutoResponderNotification.ps1 -Identity <Identity> -TemplateFile <File> [-TenantId <TenantId> -ClientId <ClientId> [-CertificateThumbprint <ThumbPrint>] [-CertificateFile <File> -CertificatePassword <SecureString>] [-Secret <SecureString>]] [-Credentials <PSCredential>] [-Clear] [-Overwrite] [-Impersonation] [-TrustAll]

The available parameters and switches are as follows:

Identity specifies one or more e-mail addresses of mailboxes to process. Identity supports the pipeline (see examples).
OldMail specifies one or more old e-mail addresses to use when configuring the autoresponder message. When specifying multiple identities,
the number of OldMail entries need to match the number of identities.
Server specifies the Exchange Web Services endpoint, for example outlook.office365.com for Exchange Online. When omitted, Autodiscover will be used.
Impersonation to use impersonation when accessing the mailbox. When using modern authentication, impersonation is mandatory.
TrustAll to accept all certificates including self-signed certificates.
TenantId specifies the ID of the Tenant when using a mailbox hosted in Exchange Online.
ClientId to specify the Application ID of the registered application in Azure Active Directory.
Credentials to specify the Basic Authentication credentials for on-premises usage or against Exchange Online when modern authentication is not an option.
CertificateThumbprint is the thumbprint of the certificate to use for modern authentication. The certificate with the public key needs to stored with the registered application for authentication. The certificate with the private key should be present in the local certificate store.
CertificateFile and CertificatePassword can be used to specify a certificate file to use. The file should contain the private key; the password protecting the certificate file can be specified using CertificatePassword as a secure string.
Secret can be used to specify the secret to authenticate using the registered application. The secret needs to be provided as a secure string.
Template
specifies the XML template file to use when configuring or clearing the autoresponder inbox rule. The format has explained above.
Clear specifies if any you want to remove the inbox rules with name specified in the template. Use this when you want to remove autoresponder rules from mailboxes. When using Clear, you don’t need to specify OldMail.
Overwrite specifies if any existing inbox rules with name specified in the template should be overwritten. When omitted, the script will skip processing
mailboxes with inbox rules with conflicting names. Use this when you want to configure the autoresponder only on mailboxes which do not have the rule.

Note that usage of the Verbose, Confirm and WhatIf parameters are supported.

Examples
Nothing more explanatory than an example. When we want to configure the autoresponder on a single mailbox, we can use something like:

Here, the autoresponder will get configured on the specified mailbox, triggering when mail has been sent to michel@fabrikam.com using the configuration defined in template.xml. Modern authentication will be used for authentication, using variables for Tenant, Client and in this case secret.

When you want to configure autoresponder for multiple mailboxes, you can for example use a CSV file. It needs to contain two elements which will be passed through pipeline, Identity and OldMail:

Identity,OldMail
philip@contoso.com,p.mortimer@fabrikam.com
francis@contoso.com,f.blake@fabrikam.com

After defining the response in a file template.xml, we can use this CSV to configure inbox rules on the Contoso mailboxes identified by Identity, triggering when mail is sent to their OldMail addresses:

Import-CSV -Path Users.csv | .\Set-AutoResponderNotification.ps1 -Server outlook.office365.com -Impersonation -TemplateFile .\Template.xml -TenantId <TenantId> -ClientId <ClientId> -Overwrite -CertificateThumbprint <Thumbprint>

What will happen is that for every set of Identity and OldMail, the mailbox specified by Identity will be configured with an inbox rule. When an existing rule is found, which is determined using the <rule> element in the XML template, it will get overwritten. The specified certificate will be picked from the local certificate store to authenticate against Tenant with TenantId, as application specified by ClientId.

Note that when the user opens Manage Rules & Alerts in Outlook, the configured inbox rule will be visible. This allows the user to remove it when it is no longer required. After a certain period, administrators can centrally remove these rules as well running the script using the Clear switch.

And finally, an example of how this may looks to senders when they receive an autoresponse message, using the sample configuration from the beginning of this article.

Application Access Policy
When using the script with modern authentication, you can leverage features such as conditional access to set boundaries for script usage. Also, you can configure application access policies to scope the registered app (script) to a subset of mailboxes. To accomplish this, assign an ApplicationAccessPolicy to the app.

To be more convenient in managing permissions, you can define a distribution group and assign the Application Access Policy with group scope (PolicyScopeGroupId). You then only need to add/remove members as you need to configure mailboxes.

More information about Application Access Policies here. Note that the permissions mentioned to not include full_access_as_app as permission, but it works.

EWS, why not Graph?
Microsoft already announced back in 2018 that development on Exchange Web Services will halt in and focus will shift to Graph. As part of this move, a more recent statement announced deprecation of some least-used API per March 2022, stimulating organizations to switch to using Graph. However, the organization looking for a solution wished for an automatic response with HTML as well as an embedded logo. Because of this, I had to use a template as a reply action.

But where Exchange Web Services supports reply with a template, Graph does not offer this functionality. So, until there is more feature parity between Exchange Web Services and Graph, or EWS goes completely out of service, solutions may still be forced to have a look at EWS for certain tasks.

Security Updates Exchange 2013-2019 (Nov2021)

Posted on November 9, 2021 by Michel de Rooij

Another month, another Patch Tuesday! A quick blog on November’s security updates for Exchange Server 2013 up to 2019. The vulnerabilities addressed in these security updates are:

Vulnerability	Category	Severity	Rating
CVE-2021-42321	Remote Code Execution	Important	CVSS:3.1 8.8 / 7.7
CVE-2021-42305	Spoofing	Important	CVSS:3.1 6.5 / 5.7
CVE-2021-41349	Spoofing	Important	CVSS:3.1 6.5 / 5.7

Vulnerabilities mentioned in the table above are addressed in the following security updates. Exception is Exchange 2013 CU23 which seemingly only gets fixed for CVE-2021-26427; it is unclear if that is because of Exchange 2013’s lifecycle phase or because the problem does not exist in those builds.

Exchange	Download	Build	KB	Supersedes
Exchange 2019 CU11	Download	15.2.986.14	KB5007409	KB5007012, KB5007011
Exchange 2019 CU10	Download	15.2.922.19	KB5007409	KB5007012, KB5007011
Exchange 2016 CU22	Download	15.1.2375.17	KB5007409	KB5007012, KB5007011
Exchange 2016 CU21	Download	15.1.2308.20	KB5007409	KB5007012, KB5007011
Exchange 2013 CU23	Download	15.0.1497.26	KB5007409	KB5007012, KB5007011

More detailed information can be found at the original blog post here. Check the KB articles for any known release notes, such as the possible cross-forest Free/Busy issue and HTTP headers containing version information.

Be advised that these security updates are Cumulative Update level specific. You cannot apply the update for Exchange 2019 CU11 to Exchange 2019 CU10. Also, the security update download has the same name for different Cumulative Updates, and I would suggest tagging the file name with the CU level, e.g. Exchange2019-CU10-KBXXXXXX-x64-en.msp.

As a reminder, run the Security Update from an elevated command prompt to prevent issues during installation. In other words: Do not just double-click on the .MSP file. And on a final note, as with any patch or update, I’d recommend to apply this in a test environment first, prior to implementing it in production. However, it is not recommended to wait for regular maintenance cycles when it concerns security updates, and follow a more agile approach; the ratings are an indication of the urgency.

Security Updates Exchange 2013-2019 (Oct2021)

Posted on October 12, 2021 by Michel de Rooij

Welcome to another Patch Tuesday! A quick blog on October’s security updates for Exchange Server 2013 up to 2019.

The vulnerabilities addressed in these security updates are:

Vulnerability	Category	Severity	Rating
CVE-2021-26427	Remote Code Execution	Important	CVSS:3.0 9.0 / 7.8
CVE-2021-41350	Spoofing	Important	CVSS:3.0 6.5 / 5.7
CVE-2021-41348	Elevation of Privilege	Important	CVSS:3.0 8.0 / 7.0
CVE-2021-34453	Denial of Service	Important	CVSS:3.0 7.5 / 6.5

Exchange	Download	Build	KB
Exchange 2019 CU11	Download	15.2.986.9	KB5007012
Exchange 2019 CU10	Download	15.2.922.14	KB5007012
Exchange 2016 CU22	Download	15.1.2375.12	KB5007012
Exchange 2016 CU21	Download	15.1.2308.15	KB5007012
Exchange 2013 CU23	Download	15.0.1497.24	KB5007011

Unarchiving Mailbox Items

Posted on August 14, 2021 by Michel de Rooij

With the introduction of Exchange 2010 at the end of 2009, a native feature was added to Exchange Server for which organizations required 3rd party products before that. The feature which I am talking about is Exchange’s Personal Archives, Online Archives, or In-Place Archiving as it is called nowadays.

Background
Archives were introduced at a time when Office 365 was in its early days, many organizations were running Exchange on-premises with mailbox quotas as bandwidth and storage were limited or relatively expensive. It was up to end users to make sure their mailbox remained within its limits, either by removing either old items, large items or just move them out of their mailbox to those pesky .PST files.

Archives introduced benefits such as lowering disk footprint by taking infrequently used items out of the primary mailbox (which then could only synchronize in full) to the archive, which is basically an additional mailbox for long-term storage. Exchange’s built-in Messaging Records Management (MRM) through retention policies and tags can be used for automatic moving of older items to the archive.

Archives also come with few downsides, especially in the early days. Most notably are perhaps clients not supporting archives at all, or searches not spanning both mailbox and archive. Also, and this is not to be underestimated, end users do not always grasp the concept of archives and the impact on the tasks and tools they use. It’s not uncommon to see people panicking about “missing data” in service tickets, only to discover their “missing data” was moved to their archive by the company retention policy after some digging.

In recent years, I have seen archives becoming less relevant, and organizations adopting the large mailbox concept in favor of lean and mean mailboxes with archives. There are still exceptions of course, usually in the form of substantial – usually shared – mailboxes. For those, staying with Exchange Online archives – and when needed auto-expanding archives – is usually still an option due to the different type of mailbox interaction, or to circumvent Exchange’s storage limitations or Outlook for Desktop’s synchronizing of offline cache files before issues might be seen. The maximum number of items per folder is such a limit, however these have been raised or done away with in recent years. Non-stubbing 3rd party archive solutions taking data out of Exchange can also be a option.

The Problem
Switching to the large mailbox concept creates a problem for those organizations that have already enabled in-place archives for their end users: How to get that data back from those archives to the primary mailbox. While retention policies can move data in opposite direction, there is no such thing as a reverse-retention policy. Also, not every organization would like to instruct end users to unarchive this contents themselves, as it is prone to failure, blocks Outlook for Desktop from doing anything else and might result in abandoned operations which limits future actions as moves are still happening in the background.

When investigating a possible solution I found that there is no other way to accomplish this, than to programmatically move contents from the in-place archive to the primary mailbox. While there is a ‘archive’ operation for mailbox items (which moves it to the assigned Archive folder, not the in-place archive) there is no other single API call to perform this task. Also, the solution would have to use Exchange Web Services, as a limitation in Microsoft Graph makes it incapable of moving messages between multiple mailboxes.

Note: If I overlooked something in this area, please let me know.

Solution
To help organizations accomplish this task, I wrote a PowerShell script which requires the following:

Exchange Server 2013 SP1 or later, or Exchange Online.
Exchange Web Services (EWS) Managed API 2.21 or later (how to, NuGet package exchange.webservices.managed.api).
When using OAuth, the MSAL library is required (NuGet package Microsoft.Identity.Client). Also, you need to have registered an App in Azure Active Directory; the Tenant ID, Application ID and certificate or secret is what you need to provide the script with to operate successfully.
In addition to installing the NuGet packages, you can also store the DLLs in the same folder as the script.

Note: Untested with Primary mailboxes on-premises and Exchange Online Archives.

The script Invoke-Unarchive will perform the following tasks:

Invoke-Unarchive will move contents from the in-place archive back to the primary mailbox.
The most optimal operation will be chosen:
- Folders present in archive but not in primary mailbox will be moved in one operation.
- Folders present in archive and primary mailbox are merged. Items in those folders are moved in batches.
- The same steps are repeated recursively per folder for the whole archive.
If, after moving, a folder in the archive is empty, and it is not a non-removable well-known folder, it will be removed.
Optionally, Invoke-Unarchive can also move contents stored in the Recoverable Items from the archive to the primary mailbox.
Invoke-Unarchive will handle throttling, either by honoring the returned back-off period or by adding delays between operations.
Moving items is asynchronous, and Invoke-Unarchive needs to wait for Exchange to complete the previous move to folder X before it can move the next set of items to folder X.

Do not forget to reassign retention policies causing archival, or you might have the run the script again at later moment.

Syntax
The parameters to call Invoke-Unarchive.ps1 are:

Identity to specify one or more mailboxes to unarchive items for.
Server to specify the FQDN of the Client Access Server to use. When omitted, Autodiscover will be used.
IncludeRecoverableItems to instruct the script to process deletions stored in the Recoverable Items as well.
Impersonation to use impersonation when accessing the mailbox. When using modern authentication (OAuth), impersonation is mandatory.
Force to force moving of items without prompting.
NoProgressBar to prevent progress status.
TrustAll to accept all certificates including self-signed certificates.
TenantId specifies the ID of the Tenant when using a mailbox hosted in Exchange Online.
ClientId to specify the Application ID of the registered application in Azure Active Directory.
Credentials to specify the Basic Authentication credentials for on-premises usage or against Exchange Online when OAuth is not an option.
CertificateThumbprint is the thumbprint of the certificate to use for OAuth. The certificate with the public key needs to stored with the registered application for authentication. The certificate with the private key should be present in the local certificate store.
CertificateFile and CertificatePassword to specify the file of the certificate to use. The file shoud contain the private key, and the password to unlock the file can be specified using CertificatePassword.
Secret can be used to specify the secret to authenticate using the registered application.

Note that Credentials, CertificateThumbprint, CertificateFile + CertificatePassword and Secret are mutually exclusive.

Example
Below shows an example run against a test-mailbox using modern authentication (OAuth). The common parameter Verbose is used to display additional output.

.\Invoke-Unarchive.ps1 -Identity michel@myexchangelabs.com -Server outlook.office365.com -Impersonation -Secret <Secret> -TenantId <Tenant> -ClientId <AppId> -Verbose

You can find the script on GitHub here.

Final Notes
The EWS operation – especially moving items – is not necessarily slow, but against Exchange Online processing large archives can take considerable amount of time due to throttling. When moving a significant number of items using Outlook for Desktop, you will likely run into Outlook abandoning the operation after which you need to wait for Exchange to finish pending moves before you can continue with this task. Using the script, you can take away this unarchiving task from end users by running the operation in the background in one or multiple runs.

Security Updates Exchange 2013-2019 (Jul2021)

Posted on July 13, 2021 by Michel de Rooij

Update July 20th: Added VC++2012 requirement to tip on running MT to prepare Exchange 2013 schema separately.

Another month, another Patch Tuesday! A quick blog on the July’s security updates for Exchange Server 2013 up to 2019.

The vulnerabilities addressed in these security updates are:

Vulnerability	Category	Severity	Rating
CVE-2021-31196	Remote Code Execution	Important	CVSS:3.0 7.2 / 6.3
CVE-2021-34470	Elevation of Privilege	Important	CVSS:3.0 8.0 / 7.0
CVE-2021-33768	Elevation of Privilege	Important	CVSS:3.0 8.0 / 7.0
CVE-2021-31206	Remote Code Execution	Important	CVSS:3.0 7.6 / 7.1

Note:

When looking at the MSRC information, you will notice 3 additional CVE issues addressed for July 13th. However, as far as I can see CVE-2021-34473, CVE-2021-34523 and CVE-2021-33766 were addressed in the April 2021 and eventually the May 2021 Security Updates, which also would explain MSRC’s mention of earlier CUs, such as Exchange 2019 CU8.
CVE-2021-31206 was the vulnerability discovered at the Pwn2Own 2021 contest.

Vulnerabilities mentioned in the table above are addressed in the following security updates:

Exchange	Download	Build	KB
Exchange 2019 CU10	Download	15.2.922.13	KB5004780
Exchange 2019 CU9	Download	15.2.858.15	KB5004780
Exchange 2016 CU21	Download	15.1.2308.14	KB5004779
Exchange 2016 CU20	Download	15.1.2242.12	KB5004779
Exchange 2013 CU23	Download	15.0.1497.23	KB5004778

Notes:

CVE-2021-33768 does not seem applicable to Exchange 2019 CU9 or Exchange 2016 CU20.
CVE-2021-34470 is only addressed in the security update for Exchange 2013 CU23.

More detailed information can be found at the original blog post here, which mentions some specific post-deployment instructions:

When running n-1 CU of Exchange 2019 (CU9) or Exchange 2016 (CU20), and you do not plan to upgrade to the latest CU yet but do wish to install this Security Update, you must also update the AD Schema using the CU10 or CU21 installation files.
When you are running Exchange 2013 CU23 in your organization, and no later Exchange builds are present, you need to deploy a schema update immediately after deploying the Security Update. After deploying the SU, from an elevated CMD prompt, run Setup.exe /PrepareSchema /IAcceptExchangeServerLicenseTerms from Exchange’s bin folder. You you need to separate the update from deploying the update, see end of article for a tip.

The blog also mentions some issues, which are identical to the ones mentioned with the May 2021 Security Updates:

Accounts ending in ‘$’ cannot use EMS or access the ECP.
Cross-forest Free/Busy might stop working resulting in 400 Bad Request (solution).
Running cmdlets against EMC using invoked runspace might result in no-language mode error (info).

Be advised that these security updates are Cumulative Update level specific. You cannot apply the update for Exchange 2019 CU9 to Exchange 2019 CU8. Also, the security update download has the same name for different Cumulative Updates, and I would suggest tagging the file name with the CU level, e.g. Exchange2019-CU9-KBXXXXXX-x64-en.msp.

On another note, after deploying the security updates Exchange will start reporting its version number in the HTTP response header.

As a reminder, run the Security Update from an elevated command prompt to prevent issues during installation. In other words: Do not just double-click on the .MSP file. And on a final note, as with any patch or update, I’d recommend to apply this in a acceptance environment first, prior to implementing it in production. However, it is not recommended to wait for regular maintenance cycles when it concerns security updates, and follow a more agile approach. The rating implies a form of urgency.

OWA/ECP and HMAC errors
There are reports of the Security Update breaking OWA/ECP. Symptoms are browsers displaying an HMAC error:

Server Error in '/owa' Application.

ASSERT: HMACProvider.GetCertificates:protectionCertificates.Length<1
Description: An unhandled exception occurred during the execution of the current web request. Please review the stack trace for more information about the error and where it originated in the code.
    
Exception Details: Microsoft.Exchange.Diagnostics.ExAssertException: ASSERT: HMACProvider.GetCertificates:protectionCertificates.Length<1

It is likely related to “Microsoft Exchange Server Auth Certificate”, which can be expired, invalid or for other reasons not being picked up. The reported solution is renewing the “Microsoft Exchange Server Auth Certificate”. This procedure can be found here. Do note that it may take an hour for the certificate to become effective. Meanwhile, you can check the comments in the original Exchange Team post, which is lively with feedback and responses.

Exchange 2013 CU23 SU & Schema Updating
Because with Exchange 2013 CU23 schema preparation needs to occur immediately after deploying the SU on (the first) Exchange 2013 CU23 server, a tip might be that you could deploy Exchange 2013 CU23 Management Tools on a workstation, install the SU on that workstation, then run the PrepareSchema from there before deploying the SU on any Exchange 2013 CU23 server.

This might also be helpful in multi-domain organizations, or organizations where AD and Exchange are managed by different teams or require separate changes. Note that performing the schema update this way requires Visual C++ 2012 Runtime, otherwise you will run into a “Exchange Server setup didn’t complete the operation” and the ExchangeSetup.log will contain “Could not load file or assembly ‘Microsoft.Exchange.CabUtility.dll”.

Security Updates Exchange 2013-2019 (May2021)

Posted on May 11, 2021 by Michel de Rooij

Another month, another Patch Tuesday! A quick blog on May’s security updates for Exchange Server 2013 up to 2019.

These fixes address the following vulnerabilities:

Vulnerability	Category	Severity	Rating
CVE-2021-31209	Spoofing	Important	CVSS:3.0 6.5 / 5.7
CVE-2021-31207	Security Feature Bypass	Moderate	CVSS:3.0 6.6 / 5.8
CVE-2021-31198	Remote Code Execution	Important	CVSS:3.0 7.8 / 6.8
CVE-2021-31195	Remote Code Execution	Important	CVSS:3.0 6.5 / 5.7

These vulnerabilities can be fixed by single security update for Exchange, which you can find below:

Exchange	Download	Build	KB	Supersedes
Exchange 2019 CU9	Download	15.2.858.12	KB5 003435	KB5001779
Exchange 2019 CU8	Download	15.2.792.15	KB5 003435	KB5001779
Exchange 2016 CU20	Download	15.1.2242.10	KB5 003435	KB5001779
Exchange 2016 CU19	Download	15.1.2176.14	KB5 003435	KB5001779
Exchange 2013 CU23	Download	15.0.1497.18	KB5 003435	KB5001779

More detailed information can be found at the original blog post here, which also mentions some known issues and workarounds which you might encounter after deploying these updates.

Also, run the Security Update from an elevated command prompt, to prevent issues during installation (other words: Do not just double-click on the .MSP file). And on a final note, as with any patch or update, I’d recommend to apply this in a acceptance environment first, prior to implementing it in production. However, it is not recommended to wait for regular maintenance cycles when it concerns security updates, and follow a more agile approach. The rating implies a form of urgency.

Security Update Exchange 2013-2019 (Apr2021)

Posted on April 13, 2021 by Michel de Rooij

15Apr2021: Added note about Pwn2Own vulnerabilities not being addressed by these updates.

A quick blog on April’s security updates for Exchange Server 2013 up to 2019. Details regarding these vulnerabilities are confidential, but organizations are recommended to install these updates based on their rating. With patching procedures still fresh in everyone’s memory, and every Exchange on-premises server being current after the Hafnium issues, that should not be a problem, right?

The fixes address the following Remote Code Execution vulnerabilities:

Vulnerability	Severity	Rating
CVE-2021-28483	Critical	CVSS:3.0 9.0 / 7.8
CVE-2021-28482	High	CVSS:3.0 8.8 / 7.7
CVE-2021-28481	Critical	CVSS:3.0 9.8 / 8.5
CVE-2021-28480	Critical	CVSS:3.0 9.8 / 8.5

More detailed information can be found at the original blog post here. Note that the recently discovered at the Pwn2Own 2021 contest are not (yet) addressed by these updates, according to this blog by the contest organizers.

The exploit can be fixed by single security update, which you can find below.

Exchange	Download	Build	KB	Supersedes
Exchange 2019 CU9	Download	15.2.858.10	KB5001779
Exchange 2019 CU8	Download	15.2.792.13	KB5001779
Exchange 2016 CU20	Download	15.1.2242.8	KB5001779
Exchange 2016 CU19	Download	15.1.2176.12	KB5001779
Exchange 2013 CU23	Download	15.0.1497.15	KB5001779

Be advised that these security updates are Cumulative Update level specific. You cannot apply the update for Exchange 2016 CU20 to Exchange 2016 CU19. Also, the security update download has the same name for different Cumulative Updates, and I would suggest tagging the file name with the CU level, e.g. Exchange2019-CU9-KB5001779-x64-en.msp.

Security Update Exchange 2010-2019 (Mar2021)

Posted on March 2, 2021 by Michel de Rooij

Update 16Mar2021: Added One-Click tool reference.

Another month, another set of security updates for Exchange Server 2016 and 2019, including out-of-band updates for Exchange 2013 CU23 and Exchange 2010 SP3 (Rollup 32). Given the risk of this vulnerability, security updates for older out-of-support CUs (Ex2016 CU8 was released December 2017) were also made available. According to the related Exchange team blo g, these exploits are seen being used as part of an attack chain. After publication of this vulnerability named Hafnium, proof of concept kits were published after which variations started to appear (e.g. DearCry). Needless to say, the security update is critical and deployment should not be postponed – intermediate mitigations (with consequences) are also available.

These fixes address the following Remote Code Execution vulnerabilities:

Exchange 2013/2016/2019
Exchange 2010/2013/2016/2019
- CVE-2021-26857

The exploit can be fixed by security update, or in case of Exchange 2010 SP3 by applying a Rollup, which you can find in the table below per current Exchange version. Microsoft published security updates for older CUs as well on March 8th; these have been added to the table below.

Exchange Build	Download	Build	Article	Supersedes
Exchange 2019 CU8	Download	15.2.792.10	KB5000871	KB4602269
Exchange 2019 CU7	Download	15.2.721.13	KB5000871	KB4602269
Exchange 2016 CU19	Download	15.1.2176.9	KB5000871	KB4602269
Exchange 2016 CU18	Download	15.1.2106.13	KB5000871	KB4602269
Exchange 2013 CU23	Download	15.0.1497.12	KB5000871	KB4593466
Exchange 2010 SP3 RU32	Download	14.3.513.0	KB5000978
Exchange 2019 CU6	Download	15.2.659.12	KB5000871
Exchange 2019 CU5	Download	15.2.595.8	KB5000871
Exchange 2019 CU4	Download	15.2.529.13	KB5000871
Exchange 2019 CU3	Download	15.2.464.15	KB5000871
Exchange 2019 CU2	Download	15.2.397.11	KB5000871
Exchange 2019 CU1	Download	15.2.330.11	KB5000871
Exchange 2019 RTM	Download	15.2.221.18	KB5000871
Exchange 2016 CU17	Download	15.1.2044.13	KB5000871
Exchange 2016 CU16	Download	15.1.1979.8	KB5000871
Exchange 2016 CU15	Download	15.1.1913.12	KB5000871
Exchange 2016 CU14	Download	15.1.1847.12	KB5000871
Exchange 2016 CU13	Download	15.1.1779.8	KB5000871
Exchange 2016 CU12	Download	15.1.1713.10	KB5000871
Exchange 2016 CU11	Download	15.1.1591.18	KB5000871
Exchange 2016 CU10	Download	15.1.1531.12	KB5000871
Exchange 2016 CU9	Download	15.1.1466.16	KB5000871
Exchange 2016 CU8	Download	15.1.1415.10	KB5000871
Exchange 2013 CU22	Download	15.0.1473.6	KB5000871
Exchange 2013 CU21	Download	15.0.1395.12	KB5000871

Notes:

You may not be prompted for a reboot, but one is required.
When manually installing the update use an elevated command prompt, don’t just double-click the .msp. To apply an .msp from an elevated prompt, e.g. msiexec.exe /p <Full Path to File>.
When you need to update to a more current Cumulative Update first, update using an elevated command prompt, e.g. setup.exe /m:upgrade /IAcceptExchangeServerLicenseTerms
Per product group feedback, Exchange 2010 is not vulnerable to the same attack chain as Exchange 2013/2016/2019, hence the Rollup mentioning a single CVE.
When running product levels earlier than the ones patched, i.e. Exchange 2016 CU17, you are at risk. There are no patches for earlier product levels, so you need to update to a recent CU after which you can install the security update.
When installing a recent CU first in order to be able to install the security update, reboot after installing the CU, then install the security update. This prevents issues caused by files being locked or updating files pending replacement during reboot.
When you are significantly behind regarding keeping your Exchange servers up to date, the blog Upgrade Paths for CU’s and .NET might help in determining an update strategy.
The statement to stay up to date with at most CU n-1 is not some random adage; apart from features and fixes, it also allows you to quickly respond to these type of emergencies.
Make sure you have configured proper Anti-Virus/Malware exclusions for Exchange server, as documented here for Exchange 2016/2019. I’ve seen significant delays or even hangs during setup of Cumulative Updates because of paths and processes not being excluded. When running Exchange virtually, any I/O inspection running on top of your hypervisor is also considered anti-virus/malware software, such as Trend Micro Deep Inspection on VMWare.
When deploying CU(n) on top of CU(n-1) when an interim update already has been installed, it is recommended to uninstall the IU prior to deploying CU(n). While it might go through, an abort is likely with mention of detecting an IU (INTERIMUPDATEDETECTED) in Exchange Setup log.
Security Updates are Cumulative Update level specific. You cannot apply the update for Exchange 2016 CU18 to Exchange 2016 CU19. Note that the security update file has the same name for different Cumulative Updates; I would suggest tagging the file name with the CU level, e.g. Exchange2016-CU18-KB5000871-x64-en.msp.
The publication of security updates for some older CUs does not remove the necessity to update and patch with current CUs.

Indicators & Action
You may want to look for signs that your Exchange server might have been compromised (Indicators of Compromise or IOC). The article HAFNIUM targeting Exchange Servers with 0-day exploits explains this process. A tool is available to assist in scanning systems for indicators, the Microsoft Support Emergency Response Tool (MSERT).

There is also official communication to support this update, including steps to remediate issues with updates and steps to perform analysis (many people overlook the recommendation to run the update elevated for some reason). This deck can be found here: March 2021 Exchange Server Security Update – v1.2.65 – EN.pdf (thanks Chris Lehr).

Mitigations
I would also recommend the official follow-up post, which not only has been updated since the original post, but also includes mitigations for organizations which cannot deploy the update yet:

A script to configure IIS rewrite rules to block cookies used in the attack (mitigates CVE-2021-26855).
Disabling UM Services (mitigates CVE-2021-26857).
Disabling ECP application pool (mitigates CVE-2021-27065).
Disabling OAB application pool (addresses CVE-2021-26858).

Needless to say, steps like disabling ECP or OAB impacts client functionality.

MS published a One-Click Microsoft Exchange On-Premises Mitigation Tool for simplified one-click implementation of mitigation measures on Exchange 2013-2019.

Finally
Since some people are discovering artifacts of HAFNIUM dating before Microsoft’s official communication, people have been wondering how long this has been going on. For those interested, Krebson Security has published an article with a concise timeline of the events related to this attack.

Security Updates Exchange 2010-2019 (Dec2020)

Posted on December 8, 2020 by Michel de Rooij

A quick blog on security updates for Exchange Server 2013, 2016 and 2019 released December 8th. These fixes address the following vulnerability:

Exchange 2016 / 2019

CVE-2020-17117: Microsoft Exchange Remote Code Execution Vulnerability
CVE-2020-17132: Microsoft Exchange Remote Code Execution Vulnerability
CVE-2020-17141: Microsoft Exchange Remote Code Execution Vulnerability
CVE-2020-17142: Microsoft Exchange Remote Code Execution Vulnerability
CVE-2020-17143: Microsoft Exchange Information Disclosure Vulnerability

Exchange 2013

CVE-2020-17117: Microsoft Exchange Remote Code Execution Vulnerability
CVE-2020-17132: Microsoft Exchange Remote Code Execution Vulnerability
CVE-2020-17142: Microsoft Exchange Remote Code Execution Vulnerability
CVE-2020-17143: Microsoft Exchange Information Disclosure Vulnerability

Exchange 2010

CVE-2020-17144: Microsoft Exchange Remote Code Execution Vulnerability

The exploits can be fixed by single security update, which you can find in the table below per current Exchange version.

Exchange	Download	Build	KB	Supersedes
Exchange 2019 CU7	Download	15.2.721.6	KB4593465	KB4588741
Exchange 2019 CU6	Download	15.2.659.11	KB4593465	KB4588741
Exchange 2016 CU18	Download	15.1.2106.6	KB4593465	KB4588741
Exchange 2016 CU17	Download	15.1.2044.12	KB4593465	KB4588741
Exchange 2013 CU23	Download	15.0.1497.10	KB4593466
Exchange 2010 SP3 RU31	Download	14.3.509.0	KB4593467

Be advised that these security updates are Cumulative Update level specific. You cannot apply the update for Exchange 2016 CU17 to Exchange 2016 CU16. Also, the security update download has the same name for different Cumulative Updates, and I would suggest tagging the file name with the CU level, e.g. Exchange2019-CU6-KB4588741-x64-en.msp.

Also, run the Security Update from an elevated command prompt, to prevent issues during installation. And on a final note, as with any patch or update, I’d recommend to apply this in a acceptance environment first, prior to implementing it in production.

Security Updates Exchange 2013-2019 (Nov2020)

Posted on November 10, 2020 by Michel de Rooij

A quick blog on security updates for Exchange Server 2013, 2016 and 2019 released November 10th. These fixes address the following vulnerability:

CVE-2020-17085: Microsoft Exchange Server Denial of Service Vulnerability
CVE-2020-17084: Microsoft Exchange Server Remote Code Execution Vulnerability
CVE-2020-17083: Microsoft Exchange Server Remote Code Execution Vulnerability

The exploits can be fixed by single security update, which you can find in the table below per current Exchange version.

Exchange	Download	Build	KB	Supersedes
Exchange 2019 CU7	Download	15.2.721.4	KB4588741	KB4581424
Exchange 2019 CU6	Download	15.2.659.8	KB4588741	KB4581424
Exchange 2016 CU18	Download	15.1.2106.4	KB4588741	KB4581424
Exchange 2016 CU17	Download	15.1.2044.8	KB4588741	KB4581424
Exchange 2013 CU23	Download	15.0.1497.8	KB4588741	KB4581424