Security Updates Exchange 2013-2019 (Jul2021)

Update July 20th: Added VC++2012 requirement to tip on running MT to prepare Exchange 2013 schema separately.

Another month, another Patch Tuesday! A quick blog on the July’s security updates for Exchange Server 2013 up to 2019.

The vulnerabilities addressed in these security updates are:

VulnerabilityCategorySeverityRating
CVE-2021-31196Remote Code Execution ImportantCVSS:3.0 7.2 / 6.3
CVE-2021-34470Elevation of PrivilegeImportantCVSS:3.0 8.0 / 7.0
CVE-2021-33768Elevation of PrivilegeImportantCVSS:3.0 8.0 / 7.0
CVE-2021-31206Remote Code ExecutionImportantCVSS:3.0 7.6 / 7.1

Note:

  • When looking at the MSRC information, you will notice 3 additional CVE issues addressed for July 13th. However, as far as I can see CVE-2021-34473, CVE-2021-34523 and CVE-2021-33766 were addressed in the April 2021 and eventually the May 2021 Security Updates, which also would explain MSRC’s mention of earlier CUs, such as Exchange 2019 CU8.
  • CVE-2021-31206 was the vulnerability discovered at the Pwn2Own 2021 contest.

Vulnerabilities mentioned in the table above are addressed in the following security updates:

ExchangeDownloadBuildKBSupersedes
Exchange 2019 CU10Download15.2.922.13KB5004780
Exchange 2019 CU9Download15.2.858.15KB5004780
Exchange 2016 CU21Download15.1.2308.14KB5004779
Exchange 2016 CU20Download15.1.2242.12KB5004779
Exchange 2013 CU23Download15.0.1497.23KB5004778

Notes:

  • CVE-2021-33768 does not seem applicable to Exchange 2019 CU9 or Exchange 2016 CU20.
  • CVE-2021-34470 is only addressed in the security update for Exchange 2013 CU23.

More detailed information can be found at the original blog post here, which mentions some specific post-deployment instructions:

  • When running n-1 CU of Exchange 2019 (CU9) or Exchange 2016 (CU20), and you do not plan to upgrade to the latest CU yet but do wish to install this Security Update, you must also update the AD Schema using the CU10 or CU21 installation files.
  • When you are running Exchange 2013 CU23 in your organization, and no later Exchange builds are present, you need to deploy a schema update immediately after deploying the Security Update. After deploying the SU, from an elevated CMD prompt, run Setup.exe /PrepareSchema /IAcceptExchangeServerLicenseTerms from Exchange’s bin folder. You you need to separate the update from deploying the update, see end of article for a tip.

The blog also mentions some issues, which are identical to the ones mentioned with the May 2021 Security Updates:

  • Accounts ending in ‘$’ cannot use EMS or access the ECP.
  • Cross-forest Free/Busy might stop working resulting in 400 Bad Request (solution).
  • Running cmdlets against EMC using invoked runspace might result in no-language mode error (info).

Be advised that these security updates are Cumulative Update level specific. You cannot apply the update for Exchange 2019 CU9 to Exchange 2019 CU8. Also, the security update download has the same name for different Cumulative Updates, and I would suggest tagging the file name with the CU level, e.g. Exchange2019-CU9-KBXXXXXX-x64-en.msp.

On another note, after deploying the security updates Exchange will start reporting its version number in the HTTP response header.

As a reminder, run the Security Update from an elevated command prompt to prevent issues during installation. In other words: Do not just double-click on the .MSP file. And on a final note, as with any patch or update, I’d recommend to apply this in a acceptance environment first, prior to implementing it in production. However, it is not recommended to wait for regular maintenance cycles when it concerns security updates, and follow a more agile approach. The rating implies a form of urgency.

OWA/ECP and HMAC errors
There are reports of the Security Update breaking OWA/ECP. Symptoms are browsers displaying an HMAC error:

Server Error in '/owa' Application.

ASSERT: HMACProvider.GetCertificates:protectionCertificates.Length<1
Description: An unhandled exception occurred during the execution of the current web request. Please review the stack trace for more information about the error and where it originated in the code.
    
Exception Details: Microsoft.Exchange.Diagnostics.ExAssertException: ASSERT: HMACProvider.GetCertificates:protectionCertificates.Length<1

It is likely related to “Microsoft Exchange Server Auth Certificate”, which can be expired, invalid or for other reasons not being picked up. The reported solution is renewing the “Microsoft Exchange Server Auth Certificate”. This procedure can be found here. Do note that it may take an hour for the certificate to become effective. Meanwhile, you can check the comments in the original Exchange Team post, which is lively with feedback and responses.

Exchange 2013 CU23 SU & Schema Updating
Because with Exchange 2013 CU23 schema preparation needs to occur immediately after deploying the SU on (the first) Exchange 2013 CU23 server, a tip might be that you could deploy Exchange 2013 CU23 Management Tools on a workstation, install the SU on that workstation, then run the PrepareSchema from there before deploying the SU on any Exchange 2013 CU23 server.

This might also be helpful in multi-domain organizations, or organizations where AD and Exchange are managed by different teams or require separate changes. Note that performing the schema update this way requires Visual C++ 2012 Runtime, otherwise you will run into a “Exchange Server setup didn’t complete the operation” and the ExchangeSetup.log will contain “Could not load file or assembly ‘Microsoft.Exchange.CabUtility.dll”.

Exchange Updates – June 2021

The Exchange Team released the quarterly Cumulative Updates for Exchange Server 2019 and Exchange 2016. Biggest change for both editions is support for Anti-Malware Scan Interface (AMSI) integration, available on Windows Server 2016 and Windows Server 2019. It allows real-time scanning of HTTP payloads, blocking known malicious content before it reaches Exchange.

Links to the updates as well as a description of changes and fixes are described below. The column Schema and AD indicate if the CU contains Schema (/PrepareSchema) and Active Directory (PrepareAD) changes compared to the previous CU.

VersionBuildKBDownloadUMLPSchemaAD
Exchange 2019 CU1015.2.922.7KB5003612 Download YY
Exchange 2016 CU21 15.1.2308.8 KB5003611 DownloadUMLPYY

Exchange 2019 CU10 fixes:

  • 5004612 Message body not displayed in OWA if the message was added in Outlook to a new mailbox
  • 5004613 OutOfMemory exception when moving a public folder that has a large ICS sync state
  • 5004614 Korean text is garbled in calendar invitation to a user with a Chinese display name
  • 5004615 “InvalidOperationException” and Store Worker process crashes during mailbox move
  • 5004616 Changing the email address in EAC doesn’t work in modern browsers
  • 5004617 TLS 1.2 is not set as default after you install Exchange 2019 with Edge Transport role
  • 5004618 MSExchangeMailboxAssistants 4999 Crash in ELCAssistant.InvokeInternalAssistant with System.NullReferenceException
  • 5004619 Mailbox creation through ECP fails after installing Exchange Server 2019 or 2016 April update
  • 5004622 “Cannot Send Mail – Your mailbox is full” error when you use iPhone mail to send very large attachments
  • 5004623 PrepareADSchema required because of Active Directory schema change

Exchange 2016 CU21 fixes:

  • 5004612 Message body not displayed in OWA if the message was added in Outlook to a new mailbox
  • 5004613 OutOfMemory exception when moving a public folder that has a large ICS sync state
  • 5004614 Korean text is garbled in calendar invitation to a user with a Chinese display name
  • 5004615 “InvalidOperationException” and Store Worker process crashes during mailbox move
  • 5004616 Changing the email address in EAC doesn’t work in modern browsers
  • 5004618 MSExchangeMailboxAssistants 4999 Crash in ELCAssistant.InvokeInternalAssistant with System.NullReferenceException
  • 5004619 Mailbox creation through ECP fails after installing Exchange Server 2019 or 2016 April update
  • 5004622 “Cannot Send Mail – Your mailbox is full” error when you use iPhone mail to send very large attachments
  • 5004623 PrepareADSchema required because of Active Directory schema change
  • 5004629 No version updating after you install Exchange Server 2016

Notes:

  • If these Cumulative Updates contain schema changes compared to the Cumulative Update you have deployed, you need to run Setup with /PrepareSchema. If they contain Active Directory changes, you need to run /PrepareAD. Alternatively, permissions permitting, you can let Setup perform this step. Consult the Exchange schema versions page for version number comparison.
  • When upgrading from an n-2 or earlier version of Exchange, or an early version of the .NET Framework, consult Upgrade Paths for CU’s & .NET.
  • Don’t forget to put the Exchange server in maintenance mode prior to updating. Regardless, setup will put the server in server-wide offline mode post-analysis, before making actual changes.
  • When using Exchange hybrid deployments or Exchange Online Archiving (EOA), support requires you to trail at most one version (n-1).
  • If you want to speed up the update process for systems without internet access, you can follow the procedure described here to disable publisher’s certificate revocation checking.
  • Cumulative Updates can be installed directly; no need to install RTM prior to installing Cumulative Updates.
  • Once upgraded, you can’t uninstall a Cumulative Update nor any of the installed Exchange server roles.
  • The recommended upgrade order is internet-facing, non-internet-facing servers first, followed by Edge Transports.

Caution:

As for any update, I recommend to thoroughly test updates in a test environment prior to implementing them in production. When you lack such facilities, hold out a few days and monitor the comments on the original publication or forums for any issues.

Security Updates Exchange 2013-2019 (May2021)

Another month, another Patch Tuesday! A quick blog on May’s security updates for Exchange Server 2013 up to 2019.

These fixes address the following vulnerabilities:

VulnerabilityCategorySeverityRating
CVE-2021-31209SpoofingImportantCVSS:3.0 6.5 / 5.7
CVE-2021-31207Security Feature BypassModerateCVSS:3.0 6.6 / 5.8
CVE-2021-31198Remote Code ExecutionImportantCVSS:3.0 7.8 / 6.8
CVE-2021-31195Remote Code Execution ImportantCVSS:3.0 6.5 / 5.7

These vulnerabilities can be fixed by single security update for Exchange, which you can find below:

ExchangeDownloadBuildKBSupersedes
Exchange 2019 CU9Download15.2.858.12KB5003435KB5001779
Exchange 2019 CU8Download15.2.792.15KB5003435KB5001779
Exchange 2016 CU20Download15.1.2242.10KB5003435KB5001779
Exchange 2016 CU19Download15.1.2176.14KB5003435KB5001779
Exchange 2013 CU23Download15.0.1497.18KB5003435KB5001779

More detailed information can be found at the original blog post here, which also mentions some known issues and workarounds which you might encounter after deploying these updates.

Be advised that these security updates are Cumulative Update level specific. You cannot apply the update for Exchange 2019 CU9 to Exchange 2019 CU8. Also, the security update download has the same name for different Cumulative Updates, and I would suggest tagging the file name with the CU level, e.g. Exchange2019-CU9-KB5003435-x64-en.msp.

Also, run the Security Update from an elevated command prompt, to prevent issues during installation (other words: Do not just double-click on the .MSP file). And on a final note, as with any patch or update, I’d recommend to apply this in a acceptance environment first, prior to implementing it in production. However, it is not recommended to wait for regular maintenance cycles when it concerns security updates, and follow a more agile approach. The rating implies a form of urgency.

Security Update Exchange 2013-2019 (Apr2021)

15Apr2021: Added note about Pwn2Own vulnerabilities not being addressed by these updates.

A quick blog on April’s security updates for Exchange Server 2013 up to 2019. Details regarding these vulnerabilities are confidential, but organizations are recommended to install these updates based on their rating. With patching procedures still fresh in everyone’s memory, and every Exchange on-premises server being current after the Hafnium issues, that should not be a problem, right?

The fixes address the following Remote Code Execution vulnerabilities:

VulnerabilitySeverityRating
CVE-2021-28483CriticalCVSS:3.0 9.0 / 7.8
CVE-2021-28482HighCVSS:3.0 8.8 / 7.7
CVE-2021-28481CriticalCVSS:3.0 9.8 / 8.5
CVE-2021-28480CriticalCVSS:3.0 9.8 / 8.5

More detailed information can be found at the original blog post here. Note that the recently discovered at the Pwn2Own 2021 contest are not (yet) addressed by these updates, according to this blog by the contest organizers.

The exploit can be fixed by single security update, which you can find below.

ExchangeDownloadBuildKBSupersedes
Exchange 2019 CU9Download15.2.858.10KB5001779
Exchange 2019 CU8Download15.2.792.13KB5001779
Exchange 2016 CU20Download15.1.2242.8KB5001779
Exchange 2016 CU19Download15.1.2176.12KB5001779
Exchange 2013 CU23Download15.0.1497.15KB5001779

Be advised that these security updates are Cumulative Update level specific. You cannot apply the update for Exchange 2016 CU20 to Exchange 2016 CU19. Also, the security update download has the same name for different Cumulative Updates, and I would suggest tagging the file name with the CU level, e.g. Exchange2019-CU9-KB5001779-x64-en.msp.

Also, run the Security Update from an elevated command prompt, to prevent issues during installation (other words: Do not just double-click on the .MSP file). And on a final note, as with any patch or update, I’d recommend to apply this in a acceptance environment first, prior to implementing it in production. However, it is not recommended to wait for regular maintenance cycles when it concerns security updates, and follow a more agile approach. The rating implies a form of urgency.

Exchange Updates – March 2021

The Exchange Team released the quarterly Cumulative Updates for Exchange Server 2019 as well as Exchange 2016. Be advised that both of these CUs include the March security update KB5000871. AExchange 2016 will receive its final CU in March, 2021.

Links to the updates as well as a description of changes and fixes are described below. The column Schema and AD indicate if the CU contains Schema (/PrepareSchema) and Active Directory (PrepareAD) changes compared to the previous CU.

VersionBuildKBDownloadUMLPSchemaAD
Exchange 2019 CU915.2.858.2KB4602570Download NY
Exchange 2016 CU2015.1.2242.4KB4602569DownloadUMLPNY

Exchange 2019 CU9 fixes:

  • 5001181 Certain search scenario can’t return expected result in Outlook online mode in Exchange Server 2019
  • 5001182 Can’t use keyword “TMM” in a special pattern to search email in Exchange Server 2019
  • 5001183 Attachment is treated as bad zip file on Edge Transport server in Exchange Server 2019 and 2016
  • 5001184 EAC has no option to select the correct tenant for an Office 365 mailbox in Exchange Server 2019 and 2016
  • 5001185 EAC has no option to select an archive domain for cloud-based archive in Exchange Server 2019 and 2016
  • 5001186 Encoding of special characters isn’t preserved which causes missing text in Outlook in Exchange Server 2019 and 2016
  • 5001188 Incorrect MRM properties stamped on mail item delivery when sending to multiple mailboxes on the same database in Exchange Server 2019 and 2016
  • 5001189 Mailbox Audit log searches and Outlook both tied to MaxHitsForFullTextIndexSearches in Exchange Server 2019 and 2016
  • 5001190 MonitoringGroup can’t control the placement of CAS monitoring mailboxes in Exchange Server 2019 and 2016
  • 5001192 Microsoft Teams fails to show calendar because Autodiscover v2 isn’t site-aware in Exchange Server 2019 and 2016
  • 5001193 New health mailboxes for databases are created every time Exchange Health Manager service is restarted
  • 5001194 RFC certificate timestamp validation in Exchange Server 2019 and 2016
  • 5001195 UPN specified when creating mailbox is overwritten automatically causing login failures in Exchange Server 2019 and 2016
  • 5000631 Event IDs 1003, 1309 and 4999 are logged after installing Exchange Server 2019 CU8
  • 4583558 PDF preview function in OWA leads to download action unexpectedly

Exchange 2016 CU20 fixes:

  • 5001183 Attachment is treated as bad zip file on Edge Transport server in Exchange Server 2019 and 2016
  • 5001184 EAC has no option to select the correct tenant for an Office 365 mailbox in Exchange Server 2019 and 2016
  • 5001185 EAC has no option to select an archive domain for cloud-based archive in Exchange Server 2019 and 2016
  • 5001186 Encoding of special characters isn’t preserved which causes missing text in Outlook in Exchange Server 2019 and 2016
  • 5001188 Incorrect MRM properties stamped on mail item delivery when sending to multiple mailboxes on the same database in Exchange Server 2019 and 2016
  • 5001189 Mailbox Audit log searches and Outlook both tied to MaxHitsForFullTextIndexSearches in Exchange Server 2019 and 2016
  • 5001190 MonitoringGroup can’t control the placement of CAS monitoring mailboxes in Exchange Server 2019 and 2016
  • 5001192 Microsoft Teams fails to show calendar due to Autodiscover v2 isn’t site aware in Exchange Server 2019 and 2016
  • 5001193 New health mailboxes for databases are created every time Exchange Health Manager service is restarted
  • 5001194 RFC certificate timestamp validation in Exchange Server 2019 and 2016
  • 5001195 UPN specified when creating mailbox is overwritten automatically causing login failures in Exchange Server 2019 and 2016
  • 4583558 PDF preview function in OWA leads to download action unexpectedly

Notes:

  • If these Cumulative Updates contain schema changes compared to the Cumulative Update you have deployed, you need to run Setup with /PrepareSchema. If they contain Active Directory changes, you need to run /PrepareAD. Alternatively, permissions permitting, you can let Setup perform this step. Consult the Exchange schema versions page for object version numbers.
  • When upgrading from an n-2 or earlier version of Exchange, or an early version of the .NET Framework, consult Upgrade Paths for CU’s & .NET.
  • Don’t forget to put the Exchange server in maintenance mode prior to updating. Regardless, setup will put the server in server-wide offline mode post-analysis, before making actual changes.
  • When using Exchange hybrid deployments or Exchange Online Archiving (EOA), support requires you to trail at most one version (n-1).
  • If you want to speed up the update process for systems without internet access, you can follow the procedure described here to disable publisher’s certificate revocation checking.
  • Cumulative Updates can be installed directly; no need to install RTM prior to installing Cumulative Updates.
  • Once upgraded, you can’t uninstall a Cumulative Update nor any of the installed Exchange server roles.
  • The recommended upgrade order is internet-facing, non-internet-facing servers first, followed by Edge Transports.

Caution:

As for any update, I recommend to thoroughly test updates in a test environment prior to implementing them in production. When you lack such facilities, hold out a few days and monitor the comments on the original publication or forums for any issues.

Security Update Exchange 2010-2019 (Mar2021)

Update 16Mar2021: Added One-Click tool reference.

Another month, another set of security updates for Exchange Server 2016 and 2019, including out-of-band updates for Exchange 2013 CU23 and Exchange 2010 SP3 (Rollup 32). Given the risk of this vulnerability, security updates for older out-of-support CUs (Ex2016 CU8 was released December 2017) were also made available. According to the related Exchange team blog, these exploits are seen being used as part of an attack chain. After publication of this vulnerability named Hafnium, proof of concept kits were published after which variations started to appear (e.g. DearCry). Needless to say, the security update is critical and deployment should not be postponed – intermediate mitigations (with consequences) are also available.

These fixes address the following Remote Code Execution vulnerabilities:

The exploit can be fixed by security update, or in case of Exchange 2010 SP3 by applying a Rollup, which you can find in the table below per current Exchange version. Microsoft published security updates for older CUs as well on March 8th; these have been added to the table below.

Exchange BuildDownloadBuildArticleSupersedes
Exchange 2019 CU8Download15.2.792.10KB5000871KB4602269
Exchange 2019 CU7Download15.2.721.13KB5000871KB4602269
Exchange 2016 CU19Download15.1.2176.9KB5000871KB4602269
Exchange 2016 CU18Download15.1.2106.13KB5000871KB4602269
Exchange 2013 CU23Download15.0.1497.12KB5000871KB4593466
Exchange 2010 SP3 RU32Download14.3.513.0KB5000978
Exchange 2019 CU6Download15.2.659.12KB5000871
Exchange 2019 CU5Download15.2.595.8KB5000871
Exchange 2019 CU4Download15.2.529.13KB5000871
Exchange 2019 CU3Download15.2.464.15KB5000871
Exchange 2019 CU2Download15.2.397.11KB5000871
Exchange 2019 CU1Download15.2.330.11KB5000871
Exchange 2019 RTMDownload15.2.221.18KB5000871
Exchange 2016 CU17Download15.1.2044.13KB5000871
Exchange 2016 CU16Download15.1.1979.8KB5000871
Exchange 2016 CU15Download15.1.1913.12KB5000871
Exchange 2016 CU14Download15.1.1847.12KB5000871
Exchange 2016 CU13Download15.1.1779.8KB5000871
Exchange 2016 CU12Download15.1.1713.10KB5000871
Exchange 2016 CU11Download15.1.1591.18KB5000871
Exchange 2016 CU10Download15.1.1531.12KB5000871
Exchange 2016 CU9Download15.1.1466.16KB5000871
Exchange 2016 CU8Download15.1.1415.10KB5000871
Exchange 2013 CU22Download15.0.1473.6KB5000871
Exchange 2013 CU21Download15.0.1395.12KB5000871

Notes:

  • You may not be prompted for a reboot, but one is required.
  • When manually installing the update use an elevated command prompt, don’t just double-click the .msp. To apply an .msp from an elevated prompt, e.g. msiexec.exe /p <Full Path to File>.
  • When you need to update to a more current Cumulative Update first, update using an elevated command prompt, e.g. setup.exe /m:upgrade /IAcceptExchangeServerLicenseTerms
  • Per product group feedback, Exchange 2010 is not vulnerable to the same attack chain as Exchange 2013/2016/2019, hence the Rollup mentioning a single CVE.
  • When running product levels earlier than the ones patched, i.e. Exchange 2016 CU17, you are at risk. There are no patches for earlier product levels, so you need to update to a recent CU after which you can install the security update.
  • When installing a recent CU first in order to be able to install the security update, reboot after installing the CU, then install the security update. This prevents issues caused by files being locked or updating files pending replacement during reboot.
  • When you are significantly behind regarding keeping your Exchange servers up to date, the blog Upgrade Paths for CU’s and .NET might help in determining an update strategy.
  • The statement to stay up to date with at most CU n-1 is not some random adage; apart from features and fixes, it also allows you to quickly respond to these type of emergencies.
  • Make sure you have configured proper Anti-Virus/Malware exclusions for Exchange server, as documented here for Exchange 2016/2019. I’ve seen significant delays or even hangs during setup of Cumulative Updates because of paths and processes not being excluded. When running Exchange virtually, any I/O inspection running on top of your hypervisor is also considered anti-virus/malware software, such as Trend Micro Deep Inspection on VMWare.
  • When deploying CU(n) on top of CU(n-1) when an interim update already has been installed, it is recommended to uninstall the IU prior to deploying CU(n). While it might go through, an abort is likely with mention of detecting an IU (INTERIMUPDATEDETECTED) in Exchange Setup log.
  • Security Updates are Cumulative Update level specific. You cannot apply the update for Exchange 2016 CU18 to Exchange 2016 CU19. Note that the security update file has the same name for different Cumulative Updates; I would suggest tagging the file name with the CU level, e.g. Exchange2016-CU18-KB5000871-x64-en.msp.
  • The publication of security updates for some older CUs does not remove the necessity to update and patch with current CUs.

Indicators & Action
You may want to look for signs that your Exchange server might have been compromised (Indicators of Compromise or IOC). The article HAFNIUM targeting Exchange Servers with 0-day exploits explains this process. A tool is available to assist in scanning systems for indicators, the Microsoft Support Emergency Response Tool (MSERT).

There is also official communication to support this update, including steps to remediate issues with updates and steps to perform analysis (many people overlook the recommendation to run the update elevated for some reason). This deck can be found here: March 2021 Exchange Server Security Update – v1.2.65 – EN.pdf (thanks Chris Lehr).

Mitigations
I would also recommend the official follow-up post, which not only has been updated since the original post, but also includes mitigations for organizations which cannot deploy the update yet:

  • A script to configure IIS rewrite rules to block cookies used in the attack (mitigates CVE-2021-26855).
  • Disabling UM Services (mitigates CVE-2021-26857).
  • Disabling ECP application pool (mitigates CVE-2021-27065).
  • Disabling OAB application pool (addresses CVE-2021-26858).

Needless to say, steps like disabling ECP or OAB impacts client functionality.

MS published a One-Click Microsoft Exchange On-Premises Mitigation Tool for simplified one-click implementation of mitigation measures on Exchange 2013-2019.

Finally
Since some people are discovering artifacts of HAFNIUM dating before Microsoft’s official communication, people have been wondering how long this has been going on. For those interested, Krebson Security has published an article with a concise timeline of the events related to this attack.

Security Recommendation Exchange 2016-2019

A quick blog on an updated security publication for Exchange Server 2016 and 2019. This publication addresses the following vulnerability:

CVE-2021-1730: Microsoft Exchange Server Spoofing Vulnerability

A spoofing vulnerability exists in Microsoft Exchange Server which could result in an attack that would allow a malicious actor to impersonate the user.

As mentioned in the CVE report, this vulnerability can be mitigated in Exchange 2016 and Exchange 2019 by implementing a separate namespace for inline images. These images are served when using Outlook Web Access. Since I never see customers implementing this option, I will repeat these steps below to bring this to your attention.

First, pick a namespace to serve these images from, e.g. img.mail.contoso.com. Create a CNAME for this entry in the DNS, and point it to your OWA namespace, for example img.mail.contoso.com. Add this namespace to your existing SSL certificate (SAN) unless you are using a wildcard certificate and the chosen namespace is covered by it.

Next, configure the InternalDownloadHostName and ExternalDownloadHostName properties from OWAVirtualDirectory configuration, e.g.

Get-OwaVirtualDirectory | Set-OwaVirtualDirectory -ExternalDownloadHostName img.mail.contoso.com -InternalDownloadHostName img.mail.contoso.com

Configure the Exchange organization to use download domains:

Set-OrganizationConfig -EnableDownloadDomains $true

Finally, restart IIS or recycle the OWA application pool using Restart-WebAppPool MSExchangeOWAAppPool.

Security Update Exchange 2016-2019 (Feb2021)

A quick blog on security updates for Exchange Server 2016 and 2019. These fixes address the following vulnerability:

CVE-2021-24085: Microsoft Exchange Server Spoofing Vulnerability

The exploit can be fixed by single security update, which you can find in the table below per current Exchange version.

ExchangeDownloadBuildKBSupersedes
Exchange 2019 CU8Download15.2.792.5KB4602269KB4593465
Exchange 2019 CU7Download15.2.721.8KB4602269KB4593465
Exchange 2016 CU19Download15.1.2176.4KB4602269KB4593465
Exchange 2016 CU18Download15.1.2106.8KB4602269KB4593465

Be advised that these security updates are Cumulative Update level specific. You cannot apply the update for Exchange 2016 CU17 to Exchange 2016 CU16. Also, the security update download has the same name for different Cumulative Updates, and I would suggest tagging the file name with the CU level, e.g. Exchange2019-CU6-KB4588741-x64-en.msp.

Also, run the Security Update from an elevated command prompt, to prevent issues during installation. And on a final note, as with any patch or update, I’d recommend to apply this in a acceptance environment first, prior to implementing it in production.

Exchange Updates – December 2020

The Exchange Team released the quarterly Cumulative Updates for Exchange Server 2019 as well as Exchange 2016. Be advised that Exchange 2016 will receive its final CU in March, 2021.

Links to the updates as well as a description of changes and fixes are described below.

VersionBuildKBDownloadUMLPSchemaPrepareAD
Exchange 2019 CU815.2.792.3KB4588885VLSC NY
Exchange 2016 CU1915.1.2176.2KB4588884DownloadUMLPNY

Exchange 2019 CU8 fixes:

  • 4588297 Attachments can’t be downloaded or previewed from Outlook Web App
  • 4583531 Design change about inline images will be forced to download but not open in a new tab of OWA in Exchange Server 2019
  • 4583532 ELC MRM archiving fails due to DomainName in AuthServer in Exchange Server 2019
  • 4583533 Exchange Server 2019 installation fails with error “The user has insufficient access rights” 
  • 4583534 Event ID 65535 System.Runtime.Serialization errors in Application log in Exchange Server 2019
  • 4583535 New-Moverequest, Resume-Moverequest, and Remove-Moverequest not logged in Audit logs in Exchange Server 2019
  • 4583536 Set-MailboxFolderPermission is included in Mail Recipient Creation in Exchange Server 2019
  • 4583537 Update Korean word breaker in Exchange Server 2019
  • 4583538 Microsoft Teams REST calls exceed the default value of maxQueryStringLength in Exchange Server 2019
  • 4583539 Non-breaking space is visible in message body in Outlook in Exchange Server 2019
  • 4583542 Server assisted search in Outlook doesn’t return more than 175 items in Exchange Server 2019
  • 4583544 Lots of LDAP requests for FE MAPI w3wp lead to DDoS on DCs in Exchange Server 2019
  • 4583545 Make DomainName in Authserver a multivalued parameter in Exchange Server 2019
  • 4593465 Description of the security update for Microsoft Exchange Server 2019 and 2016: December 8, 2020

Exchange 2016 CU19 fixes:

  • 4588297 Attachments can’t be downloaded or previewed from Outlook Web App
  • 4583531 Design change about inline images will be forced to download but not open in a new tab of OWA in Exchange Server 2016
  • 4583532 ELC MRM archiving fails due to DomainName in AuthServer in Exchange Server 2016
  • 4583533 Exchange Server 2016 installation fails with error “The user has insufficient access rights” 
  • 4583534 Event ID 65535 System.Runtime.Serialization errors in Application log in Exchange Server 2016
  • 4583535 New-Moverequest, Resume-Moverequest, and Remove-Moverequest not logged in Audit logs in Exchange Server 2016
  • 4583536 Set-MailboxFolderPermission is included in Mail Recipient Creation in Exchange Server 2016
  • 4583537 Update Korean word breaker in Exchange Server 2016
  • 4583538 Microsoft Teams REST calls exceed the default value of maxQueryStringLength in Exchange Server 2016
  • 4583539 Non-breaking space is visible in message body in Outlook in Exchange Server 2016
  • 4583545 Make DomainName in Authserver a multivalued parameter in Exchange Server 2016
  • 4593465 Description of the security update for Microsoft Exchange Server 2019 and 2016: December 8, 2020

Notes:

  • These Cumulative Updates contain schema changes compared to the previous Cumulative Update. This requires you to run /PrepareSchema. Also, Active Directory changes require you to run PrepareAD (which also can perform the schema update, depending permissions). Consult the Exchange schema versions page for object version numbers.
  • When upgrading from an n-2 or earlier version of Exchange, or an early version of the .NET Framework, consult Upgrade Paths for CU’s & .NET.
  • Don’t forget to put the Exchange server in maintenance mode prior to updating. Regardless, setup will put the server in server-wide offline mode post-analysis, before making actual changes.
  • When using Exchange hybrid deployments or Exchange Online Archiving (EOA), you are allowed to trail at most one version (n-1).
  • If you want to speed up the update process for systems without internet access, you can follow the procedure described here to disable publisher’s certificate revocation checking.
  • Cumulative Updates can be installed directly; no need to install RTM prior to installing Cumulative Updates.
  • Once installed, you can’t uninstall a Cumulative Update nor any of the installed Exchange server roles.
  • The order of installation shouldn’t matter with the “every server is an island” concept, yet recommended is to upgrade internet-facing, non-internet-facing servers first, followed by Edge Transports.

Caution:

As for any update, I recommend to thoroughly test updates in a test environment prior to implementing them in production. When you lack such facilities, hold out a few days and monitor the comments on the original publication or forums for any issues.

Security Updates Exchange 2010-2019 (Dec2020)

A quick blog on security updates for Exchange Server 2013, 2016 and 2019 released December 8th. These fixes address the following vulnerability:

Exchange 2016 / 2019

  • CVE-2020-17117: Microsoft Exchange Remote Code Execution Vulnerability
  • CVE-2020-17132: Microsoft Exchange Remote Code Execution Vulnerability
  • CVE-2020-17141: Microsoft Exchange Remote Code Execution Vulnerability
  • CVE-2020-17142: Microsoft Exchange Remote Code Execution Vulnerability
  • CVE-2020-17143: Microsoft Exchange Information Disclosure Vulnerability

Exchange 2013

  • CVE-2020-17117: Microsoft Exchange Remote Code Execution Vulnerability
  • CVE-2020-17132: Microsoft Exchange Remote Code Execution Vulnerability
  • CVE-2020-17142: Microsoft Exchange Remote Code Execution Vulnerability
  • CVE-2020-17143: Microsoft Exchange Information Disclosure Vulnerability

Exchange 2010

  • CVE-2020-17144: Microsoft Exchange Remote Code Execution Vulnerability

The exploits can be fixed by single security update, which you can find in the table below per current Exchange version.

ExchangeDownloadBuildKBSupersedes
Exchange 2019 CU7Download15.2.721.6KB4593465KB4588741
Exchange 2019 CU6Download15.2.659.11KB4593465KB4588741
Exchange 2016 CU18Download15.1.2106.6KB4593465KB4588741
Exchange 2016 CU17Download15.1.2044.12KB4593465KB4588741
Exchange 2013 CU23Download15.0.1497.10KB4593466
Exchange 2010 SP3 RU31 Download14.3.509.0KB4593467

Be advised that these security updates are Cumulative Update level specific. You cannot apply the update for Exchange 2016 CU17 to Exchange 2016 CU16. Also, the security update download has the same name for different Cumulative Updates, and I would suggest tagging the file name with the CU level, e.g. Exchange2019-CU6-KB4588741-x64-en.msp.

Also, run the Security Update from an elevated command prompt, to prevent issues during installation. And on a final note, as with any patch or update, I’d recommend to apply this in a acceptance environment first, prior to implementing it in production.