Security Updates Exchange 2013-2019 (Nov2020)

Posted on November 10, 2020 by Michel de Rooij

A quick blog on security updates for Exchange Server 2013, 2016 and 2019 released November 10th. These fixes address the following vulnerability:

CVE-2020-17085: Microsoft Exchange Server Denial of Service Vulnerability
CVE-2020-17084: Microsoft Exchange Server Remote Code Execution Vulnerability
CVE-2020-17083: Microsoft Exchange Server Remote Code Execution Vulnerability

The exploits can be fixed by single security update, which you can find in the table below per current Exchange version.

Exchange	Download	Build	KB	Supersedes
Exchange 2019 CU7	Download	15.2.721.4	KB4588741	KB4581424
Exchange 2019 CU6	Download	15.2.659.8	KB4588741	KB4581424
Exchange 2016 CU18	Download	15.1.2106.4	KB4588741	KB4581424
Exchange 2016 CU17	Download	15.1.2044.8	KB4588741	KB4581424
Exchange 2013 CU23	Download	15.0.1497.8	KB4588741	KB4581424

Be advised that these security updates are Cumulative Update level specific. You cannot apply the update for Exchange 2016 CU17 to Exchange 2016 CU16. Also, the security update download has the same name for different Cumulative Updates, and I would suggest tagging the file name with the CU level, e.g. Exchange2019-CU6-KB4588741-x64-en.msp.

Also, run the Security Update from an elevated command prompt, to prevent issues during installation. And on a final note, as with any patch or update, I’d recommend to apply this in a acceptance environment first, prior to implementing it in production.

Security Updates Exchange 2013-2019 (Oct2020)

Posted on October 14, 2020 by Michel de Rooij

A quick blog on security updates for Exchange Server 2013, 2016 and 2019 released October 13th. These fixes address the following vulnerability:

CVE-2020-16969: Microsoft Exchange Information Disclosure Vulnerability
An information disclosure vulnerability exists in how Microsoft Exchange validates tokens when handling certain messages. An attacker who successfully exploited the vulnerability could use this to gain further information from a user.

To exploit the vulnerability, an attacker could include specially crafted OWA messages that could be loaded, without warning or filtering, from the attacker-controlled URL. This callback vector provides an information disclosure tactic used in web beacons and other types of tracking systems.

The security update corrects the way that Exchange handles these token validations.

The exploits can be fixed by single security update, which you can find in the table below per current Exchange version.

Exchange	Download	Build	KB	Supersedes
Exchange 2019 CU7	Download	15.2.721.3	KB4581424	KB4577352
Exchange 2019 CU6	Download	15.2.659.7	KB4581424	KB4577352
Exchange 2016 CU18	Download	15.1.2106.3	KB4581424	KB4577352
Exchange 2016 CU17	Download	15.1.2044.7	KB4581424	KB4577352
Exchange 2013 CU23	Download	15.0.1497.7	KB4581424	KB4536988

Exchange Updates – June 2020

Posted on June 16, 2020 by Michel de Rooij

The Exchange Team released the quarterly Cumulative Updates for Exchange Server 2019 as well as Exchange 2016. Like the previous two Cumulative Updates, these require .NET Framework 4.8.

Apart from fixes as well as security updates included from the previous CU, these update contain the following changes for both builds:

Added additional file types to default OWA Mailbox Policy for Blocked File Extensions. More information in KB4559446.
Added support to Restore-RecoverableItems for easier usage. More details in KB4547707.

Links to the updates as well as a description of changes and fixes are described below.

Version	Build	KB	Download	UMLP	Schema
Exchange 2019 CU6	15.2.659.4	KB4556415	VLSC		N
Exchange 2016 CU17	15.1.2044.4	KB4556414	Download	UMLP	N

Exchange 2019 CU6 fixes:

4559441 Foreign language characters set in RejectMessageReasonText of a transport rule aren’t shown correctly in Exchange Server 2019
4547707 Enable piping for Restore-RecoverableItems in Exchange Server 2019
4549689 HMA EvoSTS certificate rollover causes authentication prompts due to stalled key on worker process spawn (warmup phase) in Exchange Server 2019
4559446 Changes to Outlook on the web blocked file extensions and MIME types in Exchange Server 2019
4559440 Export to a PST for an eDiscovery search fails Exchange Server 2019
4559439 EAS creates failure report if a message with unknown recipients is in Drafts in Exchange Server 2019
4559442 2080 Events caused by empty values in HKLM\SYSTEM\CurrentControlSet\Services\MSExchange ADAccess\Instance0 in Exchange Server 2019
4559438 Edge Transport server hangs in Exchange Server 2019
4559443 Managed Folder Assistant fails with Event ID 9004 NotInBagPropertyErrorException in Exchange Server 2019
4559437 PR_RECIPIENT_ENTRYID is computed if no email address or type in Exchange Server 2019
4559444 Conversion from HTML to RTF removes non-breaking space in Exchange Server 2019
4559436 Attachments with properties (like Azure Information Protection labels) not always matching in Exchange Server 2019
4559435 Introduce an OrganizationConfig flag to enable or disable recipient read session in Exchange Server 2019

Exchange 2016 CU17 fixes:

4559444 Conversion from HTML to RTF removes non-breaking space in Exchange Server 2016
4559435 Introduce an OrganizationConfig flag to enable or disable recipient read session in Exchange Server 2016
4547707 Enable piping for Restore-RecoverableItems in Exchange Server 2019 and 2016
4559436 Attachments with properties (like Azure Information Protection labels) don’t always match in Exchange Server 2016
4559437 PR_RECIPIENT_ENTRYID is computed if no email address or type in Exchange Server 2016
4559438 Edge Transport server hangs in Exchange Server 2016
4559439 EAS creates failure report if a message with unknown recipients is in Drafts in Exchange Server 2016
4559440 Export to a PST for an eDiscovery search fails in Exchange Server 2016
4559441 Foreign language characters set in RejectMessageReasonText of a transport rule aren’t shown correctly in Exchange Server 2016
4559442 2080 Events caused by empty values in HKLM\SYSTEM\CurrentControlSet\Services\MSExchange ADAccess\Instance0 in Exchange Server 2016
4549689 HMA EvoSTS certificate rollover causes authentication prompts due to stalled key on worker process spawn (warmup phase) in Exchange Server 2016
4559443 Managed Folder Assistant fails with Event ID 9004 NotInBagPropertyErrorException in Exchange Server 2016
4559446 Changes to Outlook on the web blocked file extensions and MIME types in Exchange Server 2016

Notes:

These Cumulative Updates do not contain schema changes compared to their previous Cumulative Update.
When upgrading from an n-2 or earlier version of Exchange, or an early version of the .NET Framework, consult Upgrade Paths for CU’s & .NET.
Don’t forget to put the Exchange server in maintenance mode prior to updating. Regardless, setup will put the server in server-wide offline mode post-analysis, before making actual changes.
When using Exchange hybrid deployments or Exchange Online Archiving (EOA), you are required to delay installing at most one version (n-1).
If you want to speed up the update process for systems without internet access, you can follow the procedure described here to disable publisher’s certificate revocation checking.
Cumulative Updates can be installed directly; no need to install RTM prior to installing Cumulative Updates.
Once installed, you can’t uninstall a Cumulative Update nor any of the installed Exchange server roles.
The order of installation shouldn’t matter with the “every server is an island” concept, yet recommended is to upgrade internet-facing, non-internet-facing servers first, followed by Edge Transports.

Caution:

As for any update, I recommend to thoroughly test updates in a test environment prior to implementing them in production. When you lack such facilities, hold out a few days and monitor the comments on the original publication or forums for any issues.

Security Updates for Exchange 2013 & 2016

Posted on December 13, 2017 by Michel de Rooij

Despite the quarterly wave of Cumulative Updates being imminent, CVE-2017-11932 and ADV170023 warranted a quick release of Security Update KB4045655 for current versions of Exchange 2013 and Exchange 2016.

This security update fixes a vulnerability in OWA, which could allow elevation of privilege or spoofing if an attacker sends an email that has a specially crafted attachment to a vulnerable Exchange server.

You can download the security updates here:

Exchange Server 2016 CU7 (v15.1.1261.37)
Exchange Server 2016 CU6 (v15.1.1034.33)
Exchange Server 2013 CU18 (v15.0.1347.3)
Exchange Server 2013 CU17 (v15.0.1320.7)

Be advised the update may leave your Exchange services in a disabled state, despite installing correctly. In those cases, reconfigure those services to Automatic and start them manually.

Also note that this security update overrides an earlier update, KB4036108, which might cause Calendar Sharing issues when split DNS is used.

Security updates are Cumulative Update level specific. Be advised that updates may carry the same name, e.g. the update for CU7 and the one for CU6 are both Exchange2016-KB4045655-x64-en.msp. I suggest adding some form of Cumulative Update identification to the file name when archiving it, e.g. Exchange2016-KB4045655-x64-en-CU7.msp.

As with any patch or update, I’d recommend to thoroughly test this in a test and acceptance environment first, prior to implementing it in production.