Security Updates Exchange 2016-2019 (Mar2024)

Posted on March 13, 2024 by Michel de Rooij

The Exchange product group released March 2024 updates for Exchange Server 2016 and 2019.

The vulnerabilities addressed in these Security Updates for Exchange Server are:

Vulnerability	Category	Severity	Rating
CVE-2024-26198	Remote Code Execution	Important	CVSS:3.1 8.8 / 7.7

The Security Updates for each supported Exchange Server build are linked below:

Exchange	Download	Build	KB	Supersedes
Exchange 2019 CU14	Download	15.2.1544.9	KB5036401	KB5032146
Exchange 2019 CU13	Download	15.2.1258.32	KB5036402	KB5032146
Exchange 2016 CU23	Download	15.1.2507.37	KB5036386	KB5032147

OutsideInModule

Be advised that these security updates will disable Oracle Outside In Technology (OIT). Security issues have been discovered in this embedded third-party package (ADV24199947). The consequence of disabling these is that text can no longer be extracted from JPG, TIFF, and AutoCAD files for usage in Exchange Transport Rules or Data Loss Prevention rules. More information is here.

Fixed Issues

Apart from security fixes, these Security Updates also correct the following issues:

Issue Fixed	Exchange 2016	Exchange 2019
EWS search request displays inaccurate results	Yes	Yes

Notes

Security updates are Cumulative Update level specific. You cannot apply the update for Exchange 2019 CU14 to Exchange 2019 CU13. When downloading, the security update will carry the same name for different Cumulative Updates, and I would suggest tagging the file name with the CU level when archiving it, e.g., Exchange2019-CU13-KBXXXXXX-x64-en.msp.
Similar to Cumulative Updates, Security Updates are cumulative, and you only need to install the latest SU for your CU.
If you have deployed Exchange Management Tools to manage your on-premises Exchange Servers or installed the tools after removal of the Last Exchange Server for recipient management, it is recommended to apply the Security Update. Be aware of few cmdlet piping issues mentioned here.

On a final note, as with any patch or update, it is recommended to apply this in a test environment first prior to implementing it in production. However, it is not recommended to wait for regular maintenance cycles when it concerns security updates and follow a more agile approach; the ratings are an indication of the urgency.

Exchange 2019 CU14 (2024 H1)

Posted on February 13, 2024 by Michel de Rooij

The Exchange Team released Exchange Server 2019 Cumulative Update H1 2024, or CU14. Apart from the fixes, this Cumulative Update for Exchange 2019 contains the following changes:

.NET Framework 4.8.1 support on Windows Server 2022
Extended Protection will be enabled by default on the server where you installed CU14 (and later). You can override this behavior during setup or by specifying the DoNotEnableEP or DoNotEnableEPFEEWS when running setup unattended. More info on these switches, as well as the Extended Protection requirements and how to configure it, can be found here.

Unfortunately, TLS 1.3 support has been moved to CU15.

CVE-2024-21410
Enabling Extended Protection also addresses the just released CVE-2024-21410. This also applies to Exchange 2016 and even Exchange 2013 when you deployed the August 2022 Security Update on those servers and enabled Extended Protection on them.

Vulnerability	Category	Severity	Rating
CVE-2024-21410	Elevation of Privilege	Critical	CVSS:3.1 9.8 / 9.1

Download
Link to the update as well as a description of changes and fixes are below. The columns Schema and AD indicate if the CU contains Schema (/PrepareSchema) and Active Directory (PrepareAD) changes compared to the previous CU. Refer to the Exchange Schema page for schema and related versioning information. Also, to be able to manage Modern Authentication, administrators need to explicitly run /PrepareAD.

Version	Build	KB	Download	UMLP	Schema	AD
Exchange 2019 CU14	15.2.1544.4	KB5035606	Download		N	Y

Exchange 2019 CU14 fixes:

5035442 Exchange Mitigation Service does not log incremental updates
5035443 Read receipts are returned if ActiveSyncSuppressReadReceipt is “True” in Exchange Server 2019
5035444 System.argumentnullexception when you try to run an eDiscovery search
5035446 OAB shadow distribution fails if legacy authorization is blocked
5035448 MCDB fails and leads to lagged copy activation
5035450 Exchange 2019 setup installs an outdated JQuery library
5035452 Usernames are not displayed in Event ID 23 and 258
5035453 Issues in Exchange or Teams when you try to delegate information
5035455 MSExchangeIS stops responding and returns “System.NullReferenceExceptions” multiple times per day
5035456 “Deserialization blocked at location HaRpcError” error and Exchange replication stops responding
5035493 FIP-FS Proxy Customizations are disabled after a CU or an SU update
5035494 Modern attachment doesn’t work when web proxy is used in Exchange Server 2019
5035495 OWA displays junk operations even if junk mail reporting is disabled
5035497 Edit permissions option in the ECP can’t be edited
5035542 Remote equipment and room mailboxes can now be managed through EAC
5035616 Logon events failure after updating Windows Server
5035617 Transport rules aren’t applied to multipart or alternative messages
5035689 “High %Time in GC” and EWS doesn’t respond

Notes

If Cumulative Updates contain schema changes compared to the Cumulative Update you currently have deployed, you need to run Setup with /PrepareSchema. If they contain Active Directory changes, you need to run /PrepareAD. Alternatively, permissions permitting, you can let Setup perform this step. Consult the Exchange schema versions page for schema and related versioning information.
When upgrading from an n-2 or earlier version of Exchange, or an early version of the .NET Framework, consult Upgrade Paths for CU’s & .NET.
Don’t forget to put the Exchange server in maintenance mode prior to updating. Regardless, setup will put the server in server-wide offline mode post-analysis, before making actual changes.
When using Exchange hybrid deployments or Exchange Online Archiving (EOA), support requires you to trail at most one version (n-1).
Ensure the Windows PowerShell Script Execution Policy is set to Unrestricted during deployment. This to prevent installation failures due to the inability to validate script signatures.
If you want to speed up the update process for systems without internet access, you can follow the procedure described here to disable the publisher’s certificate revocation checking.
Cumulative Updates can be installed directly; no need to install RTM prior to installing Cumulative Updates.
Once upgraded, you can’t uninstall a Cumulative Update or any of the installed Exchange server roles.
The recommended upgrade order is internet-facing, non-internet-facing servers first, followed by Edge Transports.

Caution
As for any updates, I recommend thoroughly testing updates in a test environment before implementing them in production. When you lack such facilities, hold out a few days and monitor the comments on the original publication or forums for any issues.

Exchange 0-days: CVE-2022-41040 & CVE-2022-41082

Posted on October 3, 2022 by Michel de Rooij

Update (Oct10, 2022): Updated URL Rewrite Rule (again).

End of last week, the Exchange world was made aware of a 0-day vulnerability and exploit through the following tweet by security researcher Kevin Beaumont. The tweet referenced a write-up by GTSC Cyber Security, which published their discovery on a what looked like a variation on ProxyShell, allowing for Remote code execution. The vulnerabilities have been registered by the Common Vulnerabilities and Exposures program as CVE-2022-41040 (ZDI-CAN-18333 at Zero Day Initiative) and CVE-2022-41082 (ZDI-CAN-18802).

The 0-day impacts current versions of Exchange Server 2019, Exchange Server 2016 as well as Exchange Server 2013 when published externally. If you have Exchange Hybrid deployed only for recipient management or mail-flow (i.e. no inbound traffic for https/443), you should be OK. Similar to ProxyShell, the vulnerability consists of sending manufactured requests to Exchange server, e.g.

Read the full of this article on ENow here.

Update (Oct10): The (original) filter to mitigate the situation, as specified originally by the GTSC as well as various websites, is too specific. The filter can easily be circumvented by – but effectively identical – variations on the manufactured request. The latest rule to filter requests is:

(?=.*autodiscover)(?=.*powershell)

Update any existing mitigation IIS URL Rewrite Rules with this Regular Expressions filter for {UrlDecode:{REQUEST_URI}} blocking (Abort Request) any matching request. When using EEMS, this rule will also be deployed in the most recent update (1.0.9). Microsoft rather silently updated the filter in their published EEMS rules during the weekend.

Microsoft added to their advisory, recommending organizations to disable Remote PowerShell for non-administrators roles (instructions here). For those wanting to hunt for indicators of compromise, check the end of the Security blog.

Vendors are also offering solutions to filter these requests using their network devices:

At the time of writing, Microsoft has not publish a security fix yet.

MEC: Bringing your Exchange Scripts into the Modern Age

Posted on September 15, 2022 by Michel de Rooij

Yesterday, I had the pleasure of presenting at the Microsoft Exchange ~~Conference~~ Community Technical Airlift 2022. I talked about the challenges that organizations are facing that use Exchange scripts in their work processes or run them scheduled unattended.

Some of the challenges I mentioned, apart from the upcoming demise of Basic Authentication, and resources to methodically assess and make the necessary changes, are:

Get your code more secure leveraging Certificate Based Authentication, especially for scheduled tasks.
Get current with the most recent version of the Exchange Online Management Module for PowerShell.
The same exercise with regards to AzureAD when using MSOnline or AzureAD modules, and the inevitable move to the PowerShell Graph SDK.

In the end I also quickly demonstrated how much easier and secure things can be when utilizing Azure Automation, which might especially appeal to organizations that want to totally get rid of any infrastructure for running jobs.

You can watch the presentation below. All sessions are you published on YouTube, and its playlist can be accessed at aka.ms/MEC2022.

The presentation as well as the deck and script used in the live demonstration can be retrieved from GitHub. The Analyse-ExoScript used in the demo can be found on GitHub as well, or look at the accompanying blog I wrote a while ago here.

Note that during MEC, it was announced that the next GA release of the Exchange Online Management module will be version 3. This jump is likely to prevent any confusion with earlier GA and preview releases. It was said the next GA release might be as early as next week, which should be good news for organizations who’s policy it is to not run Preview software in production environments.

If you have any questions, ask them in the comments or send me a message via the contact form.

MEC Airlift 2022 #WeAreMEC

Posted on September 12, 2022 by Michel de Rooij

It seems ages ago – 8½ years to be exact – that the most recent Microsoft Exchange Conference took place in Austin in 2014. Much has happened since then, Exchange Online became a thing and there seemed to be no need for Microsoft to host an Exchange themed conference any longer. All this while events around products such as SharePoint did not slow down a single bit.

Then the pandemic happened, and we went to zero in-person conferences. It did not take long online/virtual/digital conferences took off. But alas, no Exchange conference. Until 2022 arrived, and Microsoft announced continued commitment to Exchange on-premises. Now, early in the FY22/23, a free 2-day online event will take place on September 13th & 14th, the Microsoft Exchange ~~Conference~~ Community Technical Airlift 2022. Target audience are IT professionals working with Exchange Online/On-Premises as well people developing solutions that integrate with Exchange. While nothing comes close to the experience and value of an in-person event, MEC 2022 will take place online. I am guessing that if this event is a success, and there is enough content to talk about as well as interest, that might switch to becoming at least a hybrid event, with a mix of an in-person and online audience, similar to Microsoft Ignite this year.

The agenda for MEC 2022 looks very promising, with sessions from both the Exchange product group as well as some very smart people from the Exchange community. Not totally surprising, there are sessions on the demise of Basic Authentication and how to deal with that, hosted by Greg Taylor. Also have a look at Scott Schnoll’s famous Exchange Tips & Tricks, or Jeff Mealiffe talking about connectivity. The event kicks off with a welcome keynote with Perry Clarke and Rajesh Jha. You can still submit questions for this “Geek Out with Perry!” here.

Yours truly will also present at MEC, presenting “Bringing your Exchange Scripts into the Modern Age” on September 14th, 9:00am PDT. Note that MEC sessions will be recorded, and will be made available for on-demand viewing after the event, which is great in case you cannot attend sessions as they happen. You can still register for MEC at https://aka.ms/MECAirlift.

If I do not “see” you at MEC, there is also an opportunity to have an in-person chat next week in Atlanta, where I will be attending – not presenting as I missed the submit deadline – The Experts Conference, or just TEC. It seems you can still register, but Anyway, it is good to see Exchange themed events pick-up and confereces in general returning to a certain level of pre-pandemic numbers, as there is enough to talk about, discuss and learn from others.