Tag Archives: Exchange2016

Security Updates Exchange 2016-2019 (Nov2023)

Posted on by
Reply

The Exchange product group released November updates for Exchange Server 2016 and 2019.

The vulnerabilities addressed in these Security Updates for Exchange Server are:

VulnerabilityCategorySeverityRating
CVE-2023-36439Remote Code ExecutionImportantCVSS:3.1 8.0 / 7.0
CVE-2023-36050Spoofing ImportantCVSS:3.1 8.0 / 7.0
CVE-2023-36039Spoofing ImportantCVSS:3.1 8.0 / 7.0
CVE-2023-36035SpoofingImportantCVSS:3.1 8.0 / 7.0

The Security Updates for each supported Exchange Server build are linked below:

ExchangeDownloadBuildKBSupersedes
Exchange 2019 CU13Download15.2.1258.28KB5032146KB5030877
Exchange 2019 CU12Download15.2.1118.40KB5032146KB5030877
Exchange 2016 CU23Download15.1.2507.35KB5032147KB5030877

Payload Serialization Signing

Be advised that these updates will enable payload signing by default. Payload serialization signing signs PowerShell payloads to identify possible tampering. Support for certificate-based signing of PowerShell serialization payloads got added with January security updates and is a per-server configuration. In other words, make sure you have deployed the January security updates before implementing these security updates, so your Exchange servers support payload signing before you can enable it one server at a time.

More info on the topic here. The process is explained at https://aka.ms/HC-SerializedDataSigning. To verify or configure signing, use the script published here or follow the manual steps. Signing leverages the organization-wide available Exchange Auth Certificate, which needs to be present and valid; the MonitorExchangeAuthCertificate.ps1 script can help you verify this.

Fixed Issues

Apart from security fixes, these Security Updates also correct the following issues:

Issue FixedExchange 2016Exchange 2019
Signing of the serialisation payload fails to run the few cmdletsYesYes
Unable to migrate mailbox as communication error parameter exception occursYesYes
InvalidResponseException when you try to run Export-UMPromptYes

Notes

  • Security updates are Cumulative Update level specific. You cannot apply the update for Exchange 2019 CU13 to Exchange 2019 CU12. When downloading, the security update will carry the same name for different Cumulative Updates, and I would suggest tagging the file name with the CU level when archiving it, e.g., Exchange2019-CU13-KBXXXXXX-x64-en.msp.
  • Similar to Cumulative Updates, Security Updates are cumulative, and you only need to install the latest SU for your CU.
  • If you have deployed Exchange Management Tools to manage your on-premises Exchange Servers or installed the tools after removal of the Last Exchange Server for recipient management, it is recommended to apply the Security Update. Be aware of few cmdlet piping issues mentioned here.

On a final note, as with any patch or update, it is recommended to apply this in a test environment first prior to implementing it in production. However, it is not recommended to wait for regular maintenance cycles when it concerns security updates and follow a more agile approach; the ratings are an indication of the urgency.

Security Updates Exchange 2016-2019 (Oct2023)

Posted on by
1

The Exchange product group released October updates for Exchange Server 2016 and 2019.

The vulnerabilities addressed in these Security Updates for Exchange Server are:

VulnerabilityCategorySeverityRating
CVE-2023-36726Elevation of PrivilegeImportantCVSS:3.1 7.8 / 6.8
CVE-2023-36780Remote Code ExecutionImportantCVSS:3.1 7.2 / 6.3
CVE-2023-36778Remote Code ExecutionImportantCVSS:3.1 8.0 / 7.0

The Security Updates for each supported Exchange Server build are linked below:

ExchangeDownloadBuildKBSupersedes
Exchange 2019 CU13Download15.2.1258.27KB5030877KB5030524
Exchange 2019 CU12Download15.2.1118.39KB5030877KB5030524
Exchange 2016 CU23Download15.1.2507.34KB5030877KB5030524

TokenCacheModule

The recommendation for the August updates was to disable the TokenCacheModule in IIS to mitigate an Elevation of Privilege issue in IIS. That issue is fixed with a Windows update for CVE-2023-36434. Thus, after installing this update for IIS, it is no longer recommended to disable TokenCacheModule. When you have disabled it after installing the August 2023 updates, you can enable it again using New-WebGlobalModule -Name "TokenCacheModule" -Image "%windir%\System32\inetsrv\cachtokn.dll", or use the CVE-2023-21709.ps1 script specifying the -Rollback switch to (re-)enable it on all of your Exchange servers.

Fixed Issues

Apart from security fixes, these Security Updates also correct the following issues:

Issue FixedExchange 2016Exchange 2019
Users in account forest can’t change expired password in OWA in multi-forest Exchange deployments after installing August 2023 SUYesYes
Details Templates Editor fails and returns BlockedDeserializeTypeExceptionYesYes
Extended Protection causes Outlook for Mac to fail to download the OAB (use updated Extended Protection script)YesYes

Notes

  • Security updates are Cumulative Update level specific. You cannot apply the update for Exchange 2019 CU13 to Exchange 2019 CU12. When downloading, the security update will carry the same name for different Cumulative Updates, and I would suggest tagging the file name with the CU level when archiving it, e.g., Exchange2019-CU13-KBXXXXXX-x64-en.msp.
  • Similar to Cumulative Updates, Security Updates are cumulative, and you only need to install the latest SU for your CU.
  • If you have installed the Exchange Management Tools separately for managing your on-premises Exchange Servers or installed it after removal of the Last Exchange Server for recipient management, it is recommended to apply the Security Update.

On a final note, as with any patch or update, it is recommended to apply this in a test environment first prior to implementing it in production. However, it is not recommended to wait for regular maintenance cycles when it concerns security updates and follow a more agile approach; the ratings are an indication of the urgency.

Security Updates Exchange 2016-2019 (Aug2023)

Posted on by
9

Last update Oct10: Added note about TokenCacheModule.

The Exchange product group released August V2 updates for Exchange Server 2016 and 2019.

The vulnerabilities addressed in these Security Updates for Exchange Server are:

VulnerabilityCategorySeverityRating
CVE-2023-21709*Elevation of PrivilegeImportantCVSS:3.1 9.8 / 8.5
CVE-2023-38185Remote Code ExecutionImportantCVSS:3.1 8.8 / 7.7
CVE-2023-35368Remote Code ExecutionImportantCVSS:3.1 8.8 / 7.7
CVE-2023-38182Remote Code ExecutionImportantCVSS:3.1 8.0 / 7.0
CVE-2023-35388Remote Code ExecutionImportantCVSS:3.1 8.0 / 7.0
CVE-2023-38181SpoofingImportantCVSS:3.1 8.8 / 7.7

*) Requires additional steps; See below.

The Security Updates for each supported Exchange Server build are linked below:

ExchangeDownloadBuildKBSupersedes
Exchange 2019 CU13Download15.2.1258.25KB5030524KB5026261
Exchange 2019 CU12Download15.2.1118.37KB5030524KB5026261
Exchange 2016 CU23Download15.1.2507.32KB5030524KB5025903

CVE-2023-21709

CVE-2023-21709 requires additional steps, which need to be performed after installing the August updates. These steps will remove the TokenCacheModule from IIS, preventing IIS (thus implicitly Exchange) from caching security tokens for password-authenticated sessions (Anonymous, BasicAuth, and Client Certificates) at a performance penalty as every request needs to get re-authenticated. Documentation on these steps, as well as a script to implement or undo these changes, can be found here.

Update October 10: Removal of TokenCacheModule is no longer recommended, as the vulnerability has been addressed in a Windows patch, CVE-2023-36434.

AES256 in Cipher Block Chaining mode

After installing these August updates, AES256-CBC will be the default encryption mode. In order to allow decrypting of Microsoft Purview Information Protection or Active Directory Rights Management Services, additional configuration is required. If you utilize RMS with Exchange on-premises, consult the steps in this KB article.

Issue with Non-English Operating Systems

The issue with the initial release of the August 2023 SU’s has been fixed in the V2 versions. Take note of the What-if table in the August SU V2 publication on how to proceed if you already installed V1 using the workaround. TLDR;:

  • If you installed V1 successfully (English OS), no action is needed, and installing V2 is optional (will only increase Exchange build numbers).
  • If you installed V1 on a non-English OS with the workaround, uninstall August SU V1, restart, install August SU V2, and clean up the workaround (dummy ‘Network Service’ account)
  • If you did not install V1 on a non-English OS or tried installing without success and re-enabled services using ServiceControl.ps1 -AfterPatch, install the August SU V2 update.

Right after the release of the Security Update, reports came in from customers with failed deployments for non-English operating systems. Installing the SU failed, leaving their Exchange server in a non-functional state as Exchange-related services were disabled. After Microsoft investigated the issue, it was found the SU installer uses the textual “Network Service” security principal during configuration. This does not work in other languages, where it needs to be the localized name, e.g. Netzwerkdienst (German) or SERVICE LOCAL (French). Using the well-known SID for this service principal (S-1-5-20), or using this to look up the actual name, would be the way to address this. This is also what the workaround in the support article is basically doing:

  1. Restore the startup state of Echange services using $exscripts\ServiceControl.ps1 AfterPatch.
  2. Creating a dummy “Network Service” account.
  3. Manually add Full Control on the ACL of HKLM:\SOFTWARE\Microsoft\MSIPC\Server for the ‘real’ Network Service security principal, which is what the SU should be doing. Under this key is where licenses used for Azure Information Protection are stored.

While having a workaround helps, it is not very maintainable, which is why I expect Microsoft to publish an update for the Security Update. Also, the whole situation gives to think about the mindset of developers who apparently only test using English operating systems. With still significant on-premises Exchange presence in countries such as Germany and France, making code OS language-independent and having it tested could use improvement.

Fixed Issues

Apart from security fixes, these Security Updates also correct the following issues:

Issue FixedExchange 2016Exchange 2019
DST settings are inaccurate after an OS updateYesYes
Microsoft Exchange replication service repeatedly stops respondingYesYes
Chinese coded characters aren’t supported in Exchange Admin CenterYesYes
External email address field doesn’t display the correct usernameYesYes

Notes

  • Security updates are Cumulative Update level specific. You cannot apply the update for Exchange 2019 CU13 to Exchange 2019 CU12. When downloading, the security update will carry the same name for different Cumulative Updates, and I would suggest tagging the file name with the CU level when archiving it, e.g., Exchange2019-CU13-KBXXXXXX-x64-en.msp.
  • Similar to Cumulative Updates, Security Updates are cumulative, and you only need to install the latest SU for your CU.
  • If you have installed the Exchange Management Tools separately for managing your on-premises Exchange Servers or installed it after removal of the Last Exchange Server for recipient management, it is recommended to apply the Security Update.

On a final note, as with any patch or update, I’d recommend applying this in a test environment first prior to implementing it in production. However, it is not recommended to wait for regular maintenance cycles when it concerns security updates and follow a more agile approach; the ratings are an indication of the urgency.

Security Updates Exchange 2016-2019 (Jun2023)

Posted on by
Reply

The Exchange product group released June updates for Exchange Server 2016 and 2019.

Note: Missing Exchange 2013? Its support ended April, 2023. Recommendation is to upgrade to a more recent version, or move to Exchange Online.

The vulnerabilities addressed in these Security Updates for Exchange Server are:

VulnerabilityCategorySeverityRating
CVE-2023-32031Remote Code ExecutionImportantCVSS:3.1 8.8 / 7.7
CVE-2023-28310Remote Code ExecutionImportantCVSS:3.1 8.0 / 7.0

The Security Updates for each supported Exchange Server build are linked below:

ExchangeDownloadBuildKBSupersedes
Exchange 2019 CU13Download15.2.1258.16KB5026261KB5024296
Exchange 2019 CU12Download15.2.1118.30KB5026261KB5024296
Exchange 2016 CU23Download15.1.2507.27KB5025903KB5024296

Other Issues
Apart from security fixes, these SU’s also fix the following:

FixExchange 2016Exchange 2019
“Object ‘<ServerName>’ couldn’t be found on ‘<DomainControllerName>'” error when trying to uninstall Exchange ServerYesYes
Changing the permissions for Public Folders by using an Outlook client will fail with the following error, if Extended Protection is enabled: The modified Permissions cannot be changed.YesYes

Notes:

  • Security updates are Cumulative Update level specific. You cannot apply the update for Exchange 2019 CU12 to Exchange 2019 CU11. When downloading, the security update will carry the same name for different Cumulative Updates, and I would suggest tagging the file name with the CU level when archiving it, e.g. Exchange2019-CU13-KBXXXXXX-x64-en.msp.
  • Similar to Cumulative Updates, Security Updates are cumulative and you only need to install the latest SU for your CU.
  • Exchange servers running as part of hybrid deployment are managed through PowerShell, and thus need to be receive this patch and eventually be enabled for payload signing.
  • If you have installed the Exchange Management Tools separately for managing your on-premises Exchange Servers, or installed it after removal of the Last Exchange Server for recipient management, it is recommended to apply the Security Update.

On a final note, as with any patch or update, I’d recommend to apply this in a test environment first, prior to implementing it in production. However, it is not recommended to wait for regular maintenance cycles when it concerns security updates, and follow a more agile approach; the ratings are an indication of the urgency.

Security Updates Exchange 2013-2019 (Mar2023)

Posted on by
Reply

The Exchange product group released March updates for Exchange Server 2013, 2016 and 2019. Be advised that the Exchange team also put out a notice for fixed vulnerability in Outlook (CVE-2023-23397), together with a supporting script to analyze mailboxes for this possible exploit (link), which is rather uncommon.

The vulnerability addressed in these Security Updates for Exchange Server is:

VulnerabilityCategorySeverityRating
CVE-2022-21978Remote Code ExecutionImportantCVSS:3.1 8.8 / 7.7

The Security Updates for each supported Exchange Server build are linked below:

ExchangeDownloadBuildKBSupersedes
Exchange 2019 CU12Download15.2.1118.26KB5024296KB5023038
Exchange 2019 CU11Download15.2.986.42KB5024296KB5023038
Exchange 2016 CU23Download15.1.2507.23KB5024296KB5023038
Exchange 2013 CU23Download15.0.1497.48KB5024296KB5023038

Note: As mentioned last month, be advised that Exchange Server 2013 support will end in April, 2023. This means: Exchange 2013 will stop to receive security updates. Recommendation is to upgrade to a more recent version, or move to Exchange Online.

Other Issues
Apart from security fixes, these SUs also fix the following:

IssueExchange 2013Exchange 2016Exchange 2019
You can’t access Toolbox on Exchange after enabling EnableSerializationDataSigningYesYesYes
EEMS stops responding after TLS endpoint certificate updateYesYesYes
Get-App and GetAppManifests fail and return an exceptionYesYesYes
EWS does not respond and returns an exceptionYesYesYes
An exception is returned while opening a template in the Exchange ToolboxYesYesYes

Notes:

  • Security updates are Cumulative Update level specific. You cannot apply the update for Exchange 2019 CU12 to Exchange 2019 CU11. When downloading, the security update will carry the same name for different Cumulative Updates, and I would suggest tagging the file name with the CU level when archiving it, e.g. Exchange2019-CU12-KBXXXXXX-x64-en.msp.
  • Similar to Cumulative Updates, Security Updates are cumulative and you only need to install the latest SU for your CU.
  • Exchange servers running as part of hybrid deployment are managed through PowerShell, and thus need to be receive this patch and eventually be enabled for payload signing.
  • If you have installed the Exchange Management Tools separately for managing your on-premises Exchange Servers, or installed it after removal of the Last Exchange Server for recipient management, it is recommended to apply the Security Update.

On a final note, as with any patch or update, I’d recommend to apply this in a test environment first, prior to implementing it in production. However, it is not recommended to wait for regular maintenance cycles when it concerns security updates, and follow a more agile approach; the ratings are an indication of the urgency.