Hosting MTA-STS policy using GitHub Pages

Posted on by
2

The MTA-STS policy (MTA Strict Transport Security) is to prevent Man-In-The-Middle attacks by publishing authorized mail servers and prevent TLS downgrade attacks (Opportunistic TLS), when both parties support MTA-STS. MTA-STS is easier to implement over DANE with DNSSEC, which is expected to get inbound support in Exchange Online next year. Since I am using WordPress to host this blog, I was looking for ways to host the policy file for MTA-STS at the required location, as hosted WordPress does not offer this possibility.

There is documentation describing how to accomplish this using, for example, Azure Static Web Sites, but this requires an Azure subscription. There are also 3rd parties offering hosted MTA-STS, which are usually not free.

Then I stumbled upon the possibility of using a custom domain with GitHub pages, which can be used for this. So, here is a quick write-up on how to host your MTA-STS policy file on GitHub using GitHub Pages. This process could also be used when needed for hosting other files on GitHub.

Hosting MTA-STS Policy using GitHub Pages

Start by creating a new repository in GitHub. You can name it anything you want, but for the sake of the example, I called it mta-sts. Make sure it is public.

Next, we must create an empty file called .nojekyll in the repository. This file will instruct GitHub not to build pages, and just serve your files. So, Add file > Create new file, enter .nojekyll as Name your file and Commit changes.

Now, create the policy file that needs to be named mta-sts.txt in the .well-known folder file, select Add file > Create new file and enter .well-known/mta-sts.txt as the name of your file. This will also create the required folder. In the contents field, paste your policy. For example, the MTA-STS policy file when using only Exchange Online for receiving e-mail could look something like this:

version: STSv1
mode: testing
mx: *.mail.protection.outlook.com
max_age: 604800

When done, commit your changes to store the policy file on GitHub. For more information on the MTA-STS policy file definition, click here.

Next, we need to enable GitHub Pages for this repository. Go to Settings, and select the Pages tab. Under Branch, select the branch you want to publish, eg. main, and press Save. Note that GitHub Pages are served using a valid 3rd party certificate, which satisfies one of the requirements for MTA-STS.

New options should now appear on the GitHub Pages settings, one of which is Custom domain. If you decided to use a custom domain in the previous step, enter it here, eg. mta-sts.contoso.com, and click Save.

GitHub will start to check DNS for the presence of this domain. Time to head over to your ISP portal, and create the required records in DNS.

First, if you used a custom domain for hosting the MTA-STS policy, create a CNAME mta-sts record for your domain pointing to <user>.github.io or <org>.github.io, e.g.

mta-sts.contoso.com CNAME 3600 user.github.io

Next, create the DNS TXT _mta-sts record to indicate MTA-STS support, e.g.

_mta-sts.eightwone.com TXT 3600 v=STSv1; id=202310041637

Note that you need to update ‘id,’ usually with timestamp yyyymmddhhmm, whenever you make changes to the policy. This indicates to MTA-STS supporting hosts there has been a change on your end.

You are now set. After DNS some time for DNS to propagate changes, you can start verifying your configuration by browsing https://mta-sts.contoso.com/.well-known/mta-sts.txt, which should return your policy file without any certificate prompts. You can verify DNS and policy access using websites like MxToolbox or PowerDMARC. The example below was generated using EasyDMARC:

TLS Reporting

In addition to setting up MTA-STS, you can configure TLS Reporting (TLS-RPT). This will instruct supporting servers to report on TLS usage and mention certificate issues, for example. Note that these are reports on inbound messages, whereas Exchange Online offers information on outbound TLS usage. To set up TLS-RPT, configure a DNS TXT record _smtp._tls and specify a recipient for these reports, e.g.

_smtp._tls.contoso.com TXT 3600 v=TLSRPTv1; rua=mailto:tlsreports@contoso.com

The rua field contains the e-mail address where reports should be sent. You can process these reports in JSON format yourself or have one of the 3rd parties offering this service do this for you. The example below is generated by Dmarcian.

Security Updates Exchange 2016-2019 (Aug2023)

Posted on by
9

Last update Oct10: Added note about TokenCacheModule.

The Exchange product group released August V2 updates for Exchange Server 2016 and 2019.

The vulnerabilities addressed in these Security Updates for Exchange Server are:

VulnerabilityCategorySeverityRating
CVE-2023-21709*Elevation of PrivilegeImportantCVSS:3.1 9.8 / 8.5
CVE-2023-38185Remote Code ExecutionImportantCVSS:3.1 8.8 / 7.7
CVE-2023-35368Remote Code ExecutionImportantCVSS:3.1 8.8 / 7.7
CVE-2023-38182Remote Code ExecutionImportantCVSS:3.1 8.0 / 7.0
CVE-2023-35388Remote Code ExecutionImportantCVSS:3.1 8.0 / 7.0
CVE-2023-38181SpoofingImportantCVSS:3.1 8.8 / 7.7

*) Requires additional steps; See below.

The Security Updates for each supported Exchange Server build are linked below:

ExchangeDownloadBuildKBSupersedes
Exchange 2019 CU13Download15.2.1258.25KB5030524KB5026261
Exchange 2019 CU12Download15.2.1118.37KB5030524KB5026261
Exchange 2016 CU23Download15.1.2507.32KB5030524KB5025903

CVE-2023-21709

CVE-2023-21709 requires additional steps, which need to be performed after installing the August updates. These steps will remove the TokenCacheModule from IIS, preventing IIS (thus implicitly Exchange) from caching security tokens for password-authenticated sessions (Anonymous, BasicAuth, and Client Certificates) at a performance penalty as every request needs to get re-authenticated. Documentation on these steps, as well as a script to implement or undo these changes, can be found here.

Update October 10: Removal of TokenCacheModule is no longer recommended, as the vulnerability has been addressed in a Windows patch, CVE-2023-36434.

AES256 in Cipher Block Chaining mode

After installing these August updates, AES256-CBC will be the default encryption mode. In order to allow decrypting of Microsoft Purview Information Protection or Active Directory Rights Management Services, additional configuration is required. If you utilize RMS with Exchange on-premises, consult the steps in this KB article.

Issue with Non-English Operating Systems

The issue with the initial release of the August 2023 SU’s has been fixed in the V2 versions. Take note of the What-if table in the August SU V2 publication on how to proceed if you already installed V1 using the workaround. TLDR;:

  • If you installed V1 successfully (English OS), no action is needed, and installing V2 is optional (will only increase Exchange build numbers).
  • If you installed V1 on a non-English OS with the workaround, uninstall August SU V1, restart, install August SU V2, and clean up the workaround (dummy ‘Network Service’ account)
  • If you did not install V1 on a non-English OS or tried installing without success and re-enabled services using ServiceControl.ps1 -AfterPatch, install the August SU V2 update.

Right after the release of the Security Update, reports came in from customers with failed deployments for non-English operating systems. Installing the SU failed, leaving their Exchange server in a non-functional state as Exchange-related services were disabled. After Microsoft investigated the issue, it was found the SU installer uses the textual “Network Service” security principal during configuration. This does not work in other languages, where it needs to be the localized name, e.g. Netzwerkdienst (German) or SERVICE LOCAL (French). Using the well-known SID for this service principal (S-1-5-20), or using this to look up the actual name, would be the way to address this. This is also what the workaround in the support article is basically doing:

  1. Restore the startup state of Echange services using $exscripts\ServiceControl.ps1 AfterPatch.
  2. Creating a dummy “Network Service” account.
  3. Manually add Full Control on the ACL of HKLM:\SOFTWARE\Microsoft\MSIPC\Server for the ‘real’ Network Service security principal, which is what the SU should be doing. Under this key is where licenses used for Azure Information Protection are stored.

While having a workaround helps, it is not very maintainable, which is why I expect Microsoft to publish an update for the Security Update. Also, the whole situation gives to think about the mindset of developers who apparently only test using English operating systems. With still significant on-premises Exchange presence in countries such as Germany and France, making code OS language-independent and having it tested could use improvement.

Fixed Issues

Apart from security fixes, these Security Updates also correct the following issues:

Issue FixedExchange 2016Exchange 2019
DST settings are inaccurate after an OS updateYesYes
Microsoft Exchange replication service repeatedly stops respondingYesYes
Chinese coded characters aren’t supported in Exchange Admin CenterYesYes
External email address field doesn’t display the correct usernameYesYes

Notes

  • Security updates are Cumulative Update level specific. You cannot apply the update for Exchange 2019 CU13 to Exchange 2019 CU12. When downloading, the security update will carry the same name for different Cumulative Updates, and I would suggest tagging the file name with the CU level when archiving it, e.g., Exchange2019-CU13-KBXXXXXX-x64-en.msp.
  • Similar to Cumulative Updates, Security Updates are cumulative, and you only need to install the latest SU for your CU.
  • If you have installed the Exchange Management Tools separately for managing your on-premises Exchange Servers or installed it after removal of the Last Exchange Server for recipient management, it is recommended to apply the Security Update.

On a final note, as with any patch or update, I’d recommend applying this in a test environment first prior to implementing it in production. However, it is not recommended to wait for regular maintenance cycles when it concerns security updates and follow a more agile approach; the ratings are an indication of the urgency.

MVP’s around the World (2023)

Posted on by
2

Another year, another Microsoft MVP award cycle. Happy and proud to report that yours truly received his 10th MVP Award. Thank you!

This is also a moment to have a quick peek at the MVP statistics. Below numbers are taken from the public MVP portal. Normally, notifications are sent out on July 1st, but this year we had a small delay. In anticipation of awardees also needing some time to accept their Non-Disclosure Agreement terms, these numbers are taken from July 18th. Comparing them to July of recent years should give an idea of the yearly trend, as people can get awarded every month. The yearly award cycle in July will logically see a drop.

Few points of attention:

  • Out of the 3.175 MVP’s published on the MVP portal, 142 do not disclose location, so those are not represented in below numbers.
  • New categories Security, Mixed Reality and Internet of Things were added.
  • New categories might result in MVP’s switching when those are a better indication of their community work.
  • Overall, more countries are now represented in the program compared to last year.
  • Numbers do not reflect changes throughout the year. The drop from just before the award cycle, which showed 3.440 MVP’s, is not visible.

MVP Awardees per Category

The following table contains the awardees per award category from July of 2019 up to 2023, plus change percentage.

ExpertiseJul2019Jul2020%Jul2021%Jul2022%Jul2023%
AI8412245%13813%128-7%105-18%
Business Applications16624045%32335%3519%44226%
Cloud and Datacenter Management232209-10%2195%164-25%136-17%
Data Platform3323588%3929%364-7%335-8%
Developer Technologies6446978%77010%715-7%7474%
Enterprise Mobility1061137%13318%14912%100-33%
Internet of Things000%00%00%430%
M365 Apps & Services4915124%5569%492-12%54110%
M365 Development476436%698%59-14%7019%
Microsoft Azure40946313%53415%5462%526-4%
Mixed Reality000%00%00%450%
Security000%00%00%1710%
Windows and Devices for IT5743-25%42-2%457%6136%
Windows Development119110-8%1209%92-23%37-60%
Award Count268729319%329612%3105-6%33598%
MVP Count263428498%322313%3023-6%31755%

Note: The difference between total number of awards and total number of MVP’s is because an MVP can be awarded in more than one category.

MVP Awardees per Country

The following table contains the awardees per country, plus change percentage compared to July last year.

CountryNo.(change)CountryNo.(change)CountryNo.(change)
Albania1 (0%)Honduras1 (100%)Paraguay1 (0%)
Argentina13 (-14%)Hong Kong6 (100%)Peru13 (0%)
Armenia0 (-100%)Hungary9 (0%)Philippines7 (-13%)
Australia109 (-2%)Iceland4 (-20%)Poland60 (13%)
Austria33 (13%)India81 (0%)Portugal21 (16%)
Azerbaijan2 (100%)Indonesia8 (0%)Puerto Rico1 (0%)
Bahrain1 (0%)Ireland34 (9%)Romania19 (11%)
Bangladesh4 (-34%)Israel14 (7%)Saudi Arabia5 (0%)
Belgium59 (7%)Italy66 (4%)Senegal1 (0%)
Bolivia3 (0%)Ivory Coast1 (0%)Serbia5 (66%)
Bosnia and Herzegovina7 (16%)Japan165 (0%)Singapore14 (0%)
Brazil123 (-9%)Kazakhstan1 (0%)Slovakia2 (0%)
Bulgaria10 (0%)Kenya3 (300%)Slovenia6 (-25%)
Cambodia1 (0%)Korea65 (10%)South Africa11 (-27%)
Canada121 (-5%)Latvia3 (-25%)Spain89 (14%)
Chile4 (-20%)Lithuania2 (0%)Sri Lanka9 (-31%)
China131 (24%)Luxembourg1 (0%)Sweden76 (0%)
Colombia14 (0%)Macedonia5 (0%)Switzerland50 (25%)
Costa Rica2 (-34%)Malaysia6 (-25%)Taiwan46 (12%)
Croatia15 (-7%)Malta0 (-100%)Thailand11 (10%)
Czech Republic30 (-4%)Mauritius0 (-100%)Netherlands167 (12%)
Denmark45 (18%)Mexico17 (-11%)Togo1 (100%)
Dom. Republic6 (-15%)Morocco2 (-50%)Tunisia1 (-50%)
Ecuador4 (100%)Myanmar2 (-34%)Turkey21 (10%)
Egypt4 (0%)Nepal4 (-20%)Ukraine9 (-25%)
El Salvador2 (0%)New Zealand40 (0%)UAE2 (-60%)
Estonia1 (-50%)Nicaragua1 (100%)UK258 (8%)
Finland31 (10%)Nigeria18 (50%)USA472 (1%)
France119 (8%)Norway44 (12%)Uruguay1 (0%)
Germany129 (4%)Pakistan5 (-17%)Uzbekistan2 (200%)
Ghana7 (0%)Palestine1 (0%)Venezuela1 (100%)
Greece5 (25%)Panama1 (0%)Vietnam5 (0%)
Guatemala1 (-50%)

If you have questions or comments, please leave them in the comments below.

Security Updates Exchange 2016-2019 (Jun2023)

Posted on by
Reply

The Exchange product group released June updates for Exchange Server 2016 and 2019.

Note: Missing Exchange 2013? Its support ended April, 2023. Recommendation is to upgrade to a more recent version, or move to Exchange Online.

The vulnerabilities addressed in these Security Updates for Exchange Server are:

VulnerabilityCategorySeverityRating
CVE-2023-32031Remote Code ExecutionImportantCVSS:3.1 8.8 / 7.7
CVE-2023-28310Remote Code ExecutionImportantCVSS:3.1 8.0 / 7.0

The Security Updates for each supported Exchange Server build are linked below:

ExchangeDownloadBuildKBSupersedes
Exchange 2019 CU13Download15.2.1258.16KB5026261KB5024296
Exchange 2019 CU12Download15.2.1118.30KB5026261KB5024296
Exchange 2016 CU23Download15.1.2507.27KB5025903KB5024296

Other Issues
Apart from security fixes, these SU’s also fix the following:

FixExchange 2016Exchange 2019
“Object ‘<ServerName>’ couldn’t be found on ‘<DomainControllerName>'” error when trying to uninstall Exchange ServerYesYes
Changing the permissions for Public Folders by using an Outlook client will fail with the following error, if Extended Protection is enabled: The modified Permissions cannot be changed.YesYes

Notes:

  • Security updates are Cumulative Update level specific. You cannot apply the update for Exchange 2019 CU12 to Exchange 2019 CU11. When downloading, the security update will carry the same name for different Cumulative Updates, and I would suggest tagging the file name with the CU level when archiving it, e.g. Exchange2019-CU13-KBXXXXXX-x64-en.msp.
  • Similar to Cumulative Updates, Security Updates are cumulative and you only need to install the latest SU for your CU.
  • Exchange servers running as part of hybrid deployment are managed through PowerShell, and thus need to be receive this patch and eventually be enabled for payload signing.
  • If you have installed the Exchange Management Tools separately for managing your on-premises Exchange Servers, or installed it after removal of the Last Exchange Server for recipient management, it is recommended to apply the Security Update.

On a final note, as with any patch or update, I’d recommend to apply this in a test environment first, prior to implementing it in production. However, it is not recommended to wait for regular maintenance cycles when it concerns security updates, and follow a more agile approach; the ratings are an indication of the urgency.

Exchange Updates (and more) – H1 2023

Posted on by
Reply

The Exchange Team released Exchange Server 2019 Cumulative Update H1 2023, or CU13. This is Exchange 2019 only; no Exchange 2016 CU.

Apart from the fixes, this Cumulative Update for Exchange 2019 contains the following functionality enhancements:

Modern Authentication On-Premises Support
After dropping support for Basic Authentication in Exchange Online, organizations that remained on-premises for various reasons, and could not deploy Exchange Hybrid, were left out in doubt how to proceed. Last year, Microsoft gave them some perspective, following a roadmap announcement.

This CU is a first step, allowing organizations running AD FS 2019 to deploy Exchange 2019 CU13, and configure AD FS as their authentication provider. Be advised that this also requires clients to support this change in authentication logic. First, Outlook for Windows will contain support for this in build 16327.20200 and later. Support for other Outlook clients has an ETA of end of year. Outlook on the Web already supports claims-based authentication using AD FS, which is a form of Modern Authentication.

Finally, organization running Exchange 2016 can deploy Exchange 2019 CU13 in front of those Exchange 2016 servers, allowing then to handle clients request, and thus authenticate them using AD FS. After deployment, organizations can enable Modern Authentication on the organization or at the mailbox level, using Exchange’s Authentication Policies.

For more information about deploying Modern Authentication with Exchange on-premises, see Enabling Modern Auth in Exchange On-Premises. The page also includes an insightful diagram on the authentication flow.

Configuration Backup/Restore
Administrators might tweak configuration files belonging to their Exchange deployment, e.g. web.config. Deploying CUs meant that those files were overwritten, and administrators had to re-apply changes. With CU13, setup will now preserve a fixed set of elements in those configuration files. For more information, see Exchange Server custom configuration preservation.

TLS 1.3
Unfortunately, nothing yet about TLS 1.3 support.

Earlier Exchange Versions
Exchange 2013 reached end of life early April. No Cumulative Update for Exchange 2016 CU23, which is in extended support, and will only receive security updates until October, 2025. Exchange 2016 is supported when you run CU23 with the March 2023 Security Update applied.

Download
Link to the update as well as a description of changes and fixes are below. The column Schema and AD indicate if the CU contains Schema (/PrepareSchema) and Active Directory (PrepareAD) changes compared to the previous CU. Refer to the Exchange Schema page for schema and related versioning information. Also, in order to be able to manage Modern Authentication, administrators need to explicitly run /PrepareAD.

VersionBuildKBDownloadUMLPSchemaAD
Exchange 2019 CU1315.2.1258.12KB5020999Download NY

Exchange 2019 CU13 fixes:

  • 5027150 Enable Modern Auth for pure On-Premises Exchange users
  • 5026134 “InvalidRecipientsException” when you try to run MRM
  • 5026135 CertificateDeploymentServicelet failure in multiple domain forest Exchange deployments
  • 5026136 Microsoft Exchange Transport doesn’t re-encrypt IRM messages
  • 5026138 Users receive reminders although the meeting reminder is set to None
  • 5026139 You can’t move the public folder mailbox
  • 5026142 Journal message returns “ConversionFailedException”
  • 5026143 OAB shadow distribution threshold must be reduced or made configurable
  • 5026146 Expiry notification is sent to moderator and sender for approved and delivered messages
  • 5026147 BlockLegacyAuthentication fail Organization Policy because of BackendRehydrationModule implementation
  • 5026149 Group metrics generation doesn’t finish in multidomain environment
  • 5026150 Edge server Filtering Agent removes journal attachments
  • 5026151 Oab-Processing-Threshold is set to 0 for On-Premises
  • 5026152 Microsoft Exchange ActiveSync or Current Requests counter inaccurately counts requests
  • 5026153 Delivery Flow Control setting override is now available
  • 5026154 On-premises Exchange has 35MB file size limit for online archiving
  • 5026155 “No support for this operation” error on an Exchange 2019 DAG member server
  • 5026156 Outlook search fails in a shared On-Premises mailbox if the primary user mailbox is migrated to Exchange Online
  • 5026158 The body of recurring meeting is not clear if it has Chinese characters
  • 5026159 IconIndex returns Default value when Server Assisted Search is used in Outlook
  • 5026266 “Could not start MS Exchange Service Host service” error and Exchange stops responding
  • 5026267 OWA stops responding in an Exchange 2019 and 2016 coexistence topology
  • 5026268 Store Worker process crashes and returns “System.NullReferenceExceptions” multiple times per day
  • 5026269 Block deserialization error when using eDiscovery
  • 5026271 IIS URL Rewrite Module link is incorrect
  • 5026273 Outlook configuration fails in Android or iOS
  • 5026274 Hybrid Agent Validation fails after Extended Protection is enabled
  • 5026277 Mail configuration fails on iOS device after Extended Protection is enabled
  • 5026278 Mailbox migration fails after Extended Protection is enabled

Notes

  • If Cumulative Updates contain schema changes compared to the Cumulative Update you currently have deployed, you need to run Setup with /PrepareSchema. If they contain Active Directory changes, you need to run /PrepareAD. Alternatively, permissions permitting, you can let Setup perform this step. Consult the Exchange schema versions page for schema and related versioning information.
  • When upgrading from an n-2 or earlier version of Exchange, or an early version of the .NET Framework, consult Upgrade Paths for CU’s & .NET.
  • Don’t forget to put the Exchange server in maintenance mode prior to updating. Regardless, setup will put the server in server-wide offline mode post-analysis, before making actual changes.
  • When using Exchange hybrid deployments or Exchange Online Archiving (EOA), support requires you to trail at most one version (n-1).
  • Ensure the Windows PowerShell Script Execution Policy is set to Unrestricted during deployment. This to prevent installation failures due to inability to validate script signatures.
  • If you want to speed up the update process for systems without internet access, you can follow the procedure described here to disable publisher’s certificate revocation checking.
  • Cumulative Updates can be installed directly; no need to install RTM prior to installing Cumulative Updates.
  • Once upgraded, you can’t uninstall a Cumulative Update nor any of the installed Exchange server roles.
  • The recommended upgrade order is internet-facing, non-internet-facing servers first, followed by Edge Transports.

Caution

As for any update, I recommend to thoroughly test updates in a test environment prior to implementing them in production. When you lack such facilities, hold out a few days and monitor the comments on the original publication or forums for any issues.

Teams Calendar View in Apple CarPlay

Posted on by
3

A small post on something that I only noticed today, which is that one of the recent updates for the Teams app on iOS introduced the much welcome support for Calendar View in Teams on CarPlay. This was published since January as Roadmap ID 114306 and is also published in the Message Center as MC516905. I am currently running Teams for iOS version 5.5.0, so that build definitely contains this functionality.

No longer you need to tell Siri you want to join your ‘next meeting’, as you now will be presented with current and upcoming events. You can join any meetings early simply by tapping on them, and joinable meetings will display a phone icon, which you can also tap to join. Of course, you can only join Teams meetings, if you tap a regular appointment you will get a notice that this is not a Teams meeting.

The picture below shows the Calendar View both on Teams Mobile (left) and the corresponding view as displayed on Teams for iOS with CarPlay (right). It shows our Test meeting which is currently in progress, as indicated by a progress bar as well.

Note that the calendar view is showing today’s items, and only from the currently active account in Teams Mobile on your connected mobile device. If you have multiple accounts configured, switching accounts on Teams Mobile is required to show their respective calendars. Doing so will update the Calendar View immediately and allows you to join those meetings using the display. A holistic view would be nice, but compared to where Teams on CarPlay is coming from, this is already a big step in usability.

A small request to the Teams development group: Please use meaningful descriptions to the version history, as this added functionality is nowhere to be found between the “Bug fixes and performance improvements” and occasional mention of functionality changes.

Security Updates Exchange 2013-2019 (Mar2023)

Posted on by
Reply

The Exchange product group released March updates for Exchange Server 2013, 2016 and 2019. Be advised that the Exchange team also put out a notice for fixed vulnerability in Outlook (CVE-2023-23397), together with a supporting script to analyze mailboxes for this possible exploit (link), which is rather uncommon.

The vulnerability addressed in these Security Updates for Exchange Server is:

VulnerabilityCategorySeverityRating
CVE-2022-21978Remote Code ExecutionImportantCVSS:3.1 8.8 / 7.7

The Security Updates for each supported Exchange Server build are linked below:

ExchangeDownloadBuildKBSupersedes
Exchange 2019 CU12Download15.2.1118.26KB5024296KB5023038
Exchange 2019 CU11Download15.2.986.42KB5024296KB5023038
Exchange 2016 CU23Download15.1.2507.23KB5024296KB5023038
Exchange 2013 CU23Download15.0.1497.48KB5024296KB5023038

Note: As mentioned last month, be advised that Exchange Server 2013 support will end in April, 2023. This means: Exchange 2013 will stop to receive security updates. Recommendation is to upgrade to a more recent version, or move to Exchange Online.

Other Issues
Apart from security fixes, these SUs also fix the following:

IssueExchange 2013Exchange 2016Exchange 2019
You can’t access Toolbox on Exchange after enabling EnableSerializationDataSigningYesYesYes
EEMS stops responding after TLS endpoint certificate updateYesYesYes
Get-App and GetAppManifests fail and return an exceptionYesYesYes
EWS does not respond and returns an exceptionYesYesYes
An exception is returned while opening a template in the Exchange ToolboxYesYesYes

Notes:

  • Security updates are Cumulative Update level specific. You cannot apply the update for Exchange 2019 CU12 to Exchange 2019 CU11. When downloading, the security update will carry the same name for different Cumulative Updates, and I would suggest tagging the file name with the CU level when archiving it, e.g. Exchange2019-CU12-KBXXXXXX-x64-en.msp.
  • Similar to Cumulative Updates, Security Updates are cumulative and you only need to install the latest SU for your CU.
  • Exchange servers running as part of hybrid deployment are managed through PowerShell, and thus need to be receive this patch and eventually be enabled for payload signing.
  • If you have installed the Exchange Management Tools separately for managing your on-premises Exchange Servers, or installed it after removal of the Last Exchange Server for recipient management, it is recommended to apply the Security Update.

On a final note, as with any patch or update, I’d recommend to apply this in a test environment first, prior to implementing it in production. However, it is not recommended to wait for regular maintenance cycles when it concerns security updates, and follow a more agile approach; the ratings are an indication of the urgency.

Security Updates Exchange 2013-2019 (Feb2023)

Posted on by
2

[20Feb] Added information regarding issues reported.

The Exchange product group released February updates for Exchange Server 2013, 2016 and 2019.

The vulnerabilities addressed in these Security Updates are:

VulnerabilityCategorySeverityRating
CVE-2023-21529Remote Code ExecutionImportantCVSS:3.1 8.8 / 7.7
CVE-2023-21706Remote Code ExecutionImportantCVSS:3.1 8.8 / 7.7
CVE-2023-21707Remote Code ExecutionImportantCVSS:3.1 8.8 / 7.7
CVE-2023-21710Remote Code ExecutionImportantCVSS:3.1 7.2 / 6.3

The Security Updates for each supported Exchange Server build are linked below:

ExchangeDownloadBuildKBSupersedes
Exchange 2019 CU12Download15.2.1118.25KB5023038KB5022193
Exchange 2019 CU11Download15.2.986.41KB5023038KB5022193
Exchange 2016 CU23Download15.1.2507.21KB5023038KB5022143
Exchange 2013 CU23Download15.0.1497.47KB5023038KB5022188

Note: As mentioned last month, be advised that Exchange Server 2013 support will end in April, 2023. This means: Exchange 2013 will stop to receive security updates. Recommendation is to upgrade to a more recent version, or move to Exchange Online.

Other Issues
Apart from security fixes, these SUs also fix the following:

IssueExchange 2013Exchange 2016Exchange 2019
Export-UMPrompt fails with InvalidResponseExceptionYesYesN/A
Edge Transport service returns an “EseNtOutOfSessions” ExceptionYesYesYes
Exchange services in automatic startup mode do not start automaticallyYesYesYes
Data source returns incorrect checkpoint depthYesYesYes
Serialization fails while tried accessing Mailbox Searches in ECPYesYesYes
Transport delivery service mishandles iCAL eventsYesYesYes

Notes:

  • Security updates are Cumulative Update level specific. You cannot apply the update for Exchange 2019 CU12 to Exchange 2019 CU11. When downloading, the security update will carry the same name for different Cumulative Updates, and I would suggest tagging the file name with the CU level when archiving it, e.g. Exchange2019-CU12-KBXXXXXX-x64-en.msp.
  • Similar to Cumulative Updates, Security Updates are cumulative and you only need to install the latest SU for your CU.
  • Exchange servers running as part of hybrid deployment are managed through PowerShell, and thus need to be receive this patch and eventually be enabled for payload signing.
  • If you have installed the Exchange Management Tools separately for managing your on-premises Exchange Servers, or installed it after removal of the Last Exchange Server for recipient management, it is recommended to apply the Security Update.

On a final note, as with any patch or update, I’d recommend to apply this in a test environment first, prior to implementing it in production. However, it is not recommended to wait for regular maintenance cycles when it concerns security updates, and follow a more agile approach; the ratings are an indication of the urgency.

[20Feb] Shortly after release, people reported through the comments that EWS started having issues after deploying the security update. Symptoms reported were problems with (server side) searches, add-ins not loading, and calendar operations such as scheduling or sharing taking a long time to load. Since it’s EWS having problems, applications depending on this protocol also may stop to work, such as Teams.

Meanwhile, Microsoft acknowledged an issue with the initial publication, and published workaround. If experience issues and see the event 4999 in your Eventlog:

E12IIS, c-RTL-AMD64, 15.01.2507.021, w3wp#MSExchangeServicesAppPool, M.Exchange.Diagnostics, M.E.D.ChainedSerializationBinder.EnforceBlockReason, M.E.Diagnostics.BlockedDeserializeTypeException, 437c-dumptidset, 15.01.2507.021.

follow the instructions in the following KB article link:

  1. On each Exchange server, create a registry key
    New-ItemProperty -Path HKLM:\SOFTWARE\Microsoft\ExchangeServer\v15\Diagnostics -Name 'DisableBaseTypeCheckForDeserialization' -Value 1 -Type String
  2. Create a global override setting
    New-SettingOverride -Name 'Adding learning location ClientExtensionCollectionFormatter' -Component Data -Section DeserializationBinderSettings -Parameters @('LearningLocations=ClientExtensionCollectionFormatter') -Reason 'Deserialization failed'
  3. If you cannot wait until the override configuration kicks in (may take an one hour), refresh it manually:
    • Get-ExchangeDiagnosticInfo -Process Microsoft.Exchange.Directory.TopologyService -Component VariantConfiguration -Argument Refresh
    • Restart IIS and the Windows Activation Proces on each server
      Restart-Service -Name W3SVC, WAS -Force

Be advised that event 4999 might still show up in your Eventlog, and it has been reported that this might not completely does away with the issues reported. Keep an eye on the original post and EHLO blog for any future updates.

Security Updates Exchange 2013-2019 (Jan2023)

Posted on by
2

The Exchange product group released January updates for Exchange Server 2013, 2016 and 2019.

The vulnerabilities addressed in these Security Updates are:

VulnerabilityCategorySeverityRating
CVE-2023-21764Elevation of PrivilegeImportantCVSS:3.1 7.8 / 6.8
CVE-2023-21763Elevation of PrivilegeImportantCVSS:3.1 7.8 / 6.8
CVE-2023-21745SpoofingImportantCVSS:3.1 8.8 / 7.9
CVE-2023-21762SpoofingImportantCVSS:3.1 8.0 / 7.0
CVE-2023-21761Information DisclosureImportantCVSS:3.1 7.5 / 6.5

The Security Updates for each Exchange Server version are linked below. Note that only CVE-2023-21762 applies to Exchange Server 2013:

ExchangeDownloadBuildKBSupersedes
Exchange 2019 CU12Download15.2.1118.21KB5022193KB5019758
Exchange 2019 CU11Download15.2.986.37KB5022193KB5019758
Exchange 2016 CU23Download15.1.2507.17KB5022143KB5019758
Exchange 2013 CU23Download15.0.1497.45KB5022188KB5019758

In case you are wondering why Exchange Server 2016 CU22 is not mentioned: CU22 went out of support, and only CU23 will continue to receive security updates. On another note, Exchange 2013 support will end in April, 2023, meaning it it will stop receiving security updates. Recommendation is to upgrade to a more recent version.

Payload Serialization Signing
Apart from fixing security issues, these SUs also introduce support for certificate-based signing of PowerShell serialization payloads. TLDR; it allows for signing data to identify possible tampering. More info on the topic here. The process is explained at https://aka.ms/HC-SerializedDataSigning. In order to verify or configure signing, a script has been published here, or check here if you prefer manual steps. Note that all your Exchange servers need to run this SU before you enable signing, as each Exchange server needs to understand the signing.

Other Issues
Apart from security fixes, these SUs also fix the following:

Issue Ex2013Ex2016Ex2019
Store Worker Process stops and returns “System.NullReferenceExceptions” multiple times per dayYesYes
Can’t record or play in Exchange Unified MessagingYesYes
Exchange Application log is flooded with Event ID 6010Yes

Security updates are Cumulative Update level specific. You cannot apply the update for Exchange 2019 CU12 to Exchange 2019 CU11. When downloading, the security update will carry the same name for different Cumulative Updates, and I would suggest tagging the file name with the CU level when archiving it, e.g. Exchange2019-CU12-KBXXXXXX-x64-en.msp.

Exchange servers running as part of hybrid deployment are managed through PowerShell, and thus need to be receive this patch and eventually be enabled for payload signing. If you are running Exchange 2019 Management Tools-only (for recipient management), you do not need to deploy this SU.

On a final note, as with any patch or update, I’d recommend to apply this in a test environment first, prior to implementing it in production. However, it is not recommended to wait for regular maintenance cycles when it concerns security updates, and follow a more agile approach; the ratings are an indication of the urgency.

Security Updates Exchange 2013-2019 (Nov2022)

Posted on by
Reply

The Exchange product group released November updates for Exchange Server 2013, 2016 and 2019. Note that these Security Updates address the vulnerabilities CVE-2022-41040 and CVE-2022-41082 that were reported end of September. More on those in an earlier post.

Note: You can keep the current URLScan mitigations in-place, and remove them after installing these security updates at your convenience. The recommendation to disable Remote PowerShell for non-admins is upheld, but this is best practice regardless.

The vulnerabilities addressed in these Security Updates are:

VulnerabilityCategorySeverityRating
CVE-2022-41040Elevation of PrivilegeCriticalCVSS:3.1 8.8 / 7.9
CVE-2022-41082Elevation of PrivilegeImportantCVSS:3.1 8.8 / 8.3
CVE-2022-41078Elevation of PrivilegeImportantCVSS:3.1 8.0 / 7.0
CVE-2022-41123Elevation of PrivilegeImportantCVSS:3.1 7.8 / 6.8
CVE-2022-41079Elevation of PrivilegeImportantCVSS:3.1 8.0 / 7.0
CVE-2022-41080Elevation of PrivilegeCriticalCVSS:3.1 8.8 / 7.7

The following Security Updates address these vulnerability for the Exchange builds mentioned, with the exception of CVE-2022-41123 which does not apply to Exchange Server 2013:

ExchangeDownloadBuildKBSupersedes
Exchange 2019 CU12Download15.2.1118.20KB5019758KB5019077
Exchange 2019 CU11Download15.2.986.36KB5019758KB5019077
Exchange 2016 CU23Download15.1.2507.16KB5019758KB5019077
Exchange 2016 CU22Download15.1.2375.37KB5019758KB5019077
Exchange 2013 CU23Download15.0.1497.44KB5019758KB5019076

In case you missed it, per the Security Updates of August, you can enable Windows Extended Protection for increased protection against certain vulnerabilities. More information this process and its requirements can be found in the post on the August updates here.

Security updates are Cumulative Update level specific. You cannot apply the update for Exchange 2019 CU12 to Exchange 2019 CU11. Also, the security update download has the same name for different Cumulative Updates, and I would suggest tagging the file name with the CU level, e.g. Exchange2019-CU12-KBXXXXXX-x64-en.msp.

Exchange servers running as part of hybrid deployment are running services, and thus need to be included in the patch cycle. If you are running Exchange 2019 CU12 Management Tools-only (for recipient management), you do not need to deploy this SU.

On a final note, as with any patch or update, I’d recommend to apply this in a test environment first, prior to implementing it in production. However, it is not recommended to wait for regular maintenance cycles when it concerns security updates, and follow a more agile approach; the ratings are an indication of the urgency.