A quick blog on recently published security updates for Exchange Server 2013 up to Exchange Server 2019 and Exchange Server 2010 as well. These fixes address the following vulnerabilities:
- CVE-2020-0692: Microsoft Exchange Server Elevation of Privilege Vulnerability
An elevation of privilege vulnerability exists in Microsoft Exchange Server. An attacker who successfully exploited this vulnerability could gain the same rights as any other user of the Exchange server. This could allow the attacker to perform activities such as accessing the mailboxes of other users. Exploitation of this vulnerability requires Exchange Web Services (EWS) to be enabled and in use in an affected environment. To exploit the vulnerability, an attacker would need to change parameters in the Security Access Token and forward it to a Microsoft Exchange Server, thereby allowing impersonation of another Exchange user. To address this vulnerability, Microsoft has changed the way EWS handles these tokens.
This vulnerability does not apply to Exchange 2010.
- CVE-2020-0688: Microsoft Exchange Memory Corruption Vulnerability
A remote code execution vulnerability exists in Microsoft Exchange Server when the server fails to properly create unique keys at install time. Knowledge of a the validation key allows an authenticated user with a mailbox to pass arbitrary objects to be deserialized by the web application, which runs as SYSTEM. The security update addresses the vulnerability by correcting how Microsoft Exchange creates the keys during install.
The CVE documents contain more details on the vulnerabilities. In addition, KB4536989 (Rollup 30) for Exchange 2010 and KB4536988 for Exchange 2013 also fixes the following issue:
- KB4540267 MSExchangeDelivery.exe or EdgeTransport.exe crashes in Exchange Server 2013 and Exchange Server 2010
The exploits can be fixed by single security update, which you can find in the table below per current Exchange version.
|Exchange 2019 CU4||Download||15.2.529.8||KB4536987||KB4523171|
|Exchange 2019 CU3||Download||15.2.464.11||KB4536987||KB4523171|
|Exchange 2016 CU15||Download||15.1.1913.7||KB4536987||KB4523171|
|Exchange 2016 CU14||Download||15.1.1847.7||KB4536987||KB4523171|
|Exchange 2013 CU23||Download||15.0.1497.6||KB4536988||KB4523171|
|Exchange 2010 SP3 RU30||KB4536989||KB4509410|
Be advised that the Security Updates for Exchange 2013-2019 are Cumulative Update level specific. Unfortunately, the security update carries the same name for different CUs, and you cannot apply the update for Exchange 2016 CU15 to Exchange 2016 CU14. I would suggest tagging the Cumulative Update in the file name used, e.g. Exchange2016-CU15-KB4536987-x64-en.msp.
Also, run the Security Update from an elevated command prompt, to prevent issues during installation. And on a final note, as with any patch or update, I’d recommend to apply this in a acceptance environment first, prior to implementing it in production.