Security Updates Exchange 2013-2019 (Jul2021)

Posted on July 13, 2021 by Michel de Rooij

Update July 20th: Added VC++2012 requirement to tip on running MT to prepare Exchange 2013 schema separately.

Another month, another Patch Tuesday! A quick blog on the July’s security updates for Exchange Server 2013 up to 2019.

The vulnerabilities addressed in these security updates are:

Vulnerability	Category	Severity	Rating
CVE-2021-31196	Remote Code Execution	Important	CVSS:3.0 7.2 / 6.3
CVE-2021-34470	Elevation of Privilege	Important	CVSS:3.0 8.0 / 7.0
CVE-2021-33768	Elevation of Privilege	Important	CVSS:3.0 8.0 / 7.0
CVE-2021-31206	Remote Code Execution	Important	CVSS:3.0 7.6 / 7.1

Note:

When looking at the MSRC information, you will notice 3 additional CVE issues addressed for July 13th. However, as far as I can see CVE-2021-34473, CVE-2021-34523 and CVE-2021-33766 were addressed in the April 2021 and eventually the May 2021 Security Updates, which also would explain MSRC’s mention of earlier CUs, such as Exchange 2019 CU8.
CVE-2021-31206 was the vulnerability discovered at the Pwn2Own 2021 contest.

Vulnerabilities mentioned in the table above are addressed in the following security updates:

Exchange	Download	Build	KB
Exchange 2019 CU10	Download	15.2.922.13	KB5004780
Exchange 2019 CU9	Download	15.2.858.15	KB5004780
Exchange 2016 CU21	Download	15.1.2308.14	KB5004779
Exchange 2016 CU20	Download	15.1.2242.12	KB5004779
Exchange 2013 CU23	Download	15.0.1497.23	KB5004778

Notes:

CVE-2021-33768 does not seem applicable to Exchange 2019 CU9 or Exchange 2016 CU20.
CVE-2021-34470 is only addressed in the security update for Exchange 2013 CU23.

More detailed information can be found at the original blog post here, which mentions some specific post-deployment instructions:

When running n-1 CU of Exchange 2019 (CU9) or Exchange 2016 (CU20), and you do not plan to upgrade to the latest CU yet but do wish to install this Security Update, you must also update the AD Schema using the CU10 or CU21 installation files.
When you are running Exchange 2013 CU23 in your organization, and no later Exchange builds are present, you need to deploy a schema update immediately after deploying the Security Update. After deploying the SU, from an elevated CMD prompt, run Setup.exe /PrepareSchema /IAcceptExchangeServerLicenseTerms from Exchange’s bin folder. You you need to separate the update from deploying the update, see end of article for a tip.

The blog also mentions some issues, which are identical to the ones mentioned with the May 2021 Security Updates:

Accounts ending in ‘$’ cannot use EMS or access the ECP.
Cross-forest Free/Busy might stop working resulting in 400 Bad Request (solution).
Running cmdlets against EMC using invoked runspace might result in no-language mode error (info).

Be advised that these security updates are Cumulative Update level specific. You cannot apply the update for Exchange 2019 CU9 to Exchange 2019 CU8. Also, the security update download has the same name for different Cumulative Updates, and I would suggest tagging the file name with the CU level, e.g. Exchange2019-CU9-KBXXXXXX-x64-en.msp.

On another note, after deploying the security updates Exchange will start reporting its version number in the HTTP response header.

As a reminder, run the Security Update from an elevated command prompt to prevent issues during installation. In other words: Do not just double-click on the .MSP file. And on a final note, as with any patch or update, I’d recommend to apply this in a acceptance environment first, prior to implementing it in production. However, it is not recommended to wait for regular maintenance cycles when it concerns security updates, and follow a more agile approach. The rating implies a form of urgency.

OWA/ECP and HMAC errors
There are reports of the Security Update breaking OWA/ECP. Symptoms are browsers displaying an HMAC error:

Server Error in '/owa' Application.

ASSERT: HMACProvider.GetCertificates:protectionCertificates.Length<1
Description: An unhandled exception occurred during the execution of the current web request. Please review the stack trace for more information about the error and where it originated in the code.
    
Exception Details: Microsoft.Exchange.Diagnostics.ExAssertException: ASSERT: HMACProvider.GetCertificates:protectionCertificates.Length<1

It is likely related to “Microsoft Exchange Server Auth Certificate”, which can be expired, invalid or for other reasons not being picked up. The reported solution is renewing the “Microsoft Exchange Server Auth Certificate”. This procedure can be found here. Do note that it may take an hour for the certificate to become effective. Meanwhile, you can check the comments in the original Exchange Team post, which is lively with feedback and responses.

Exchange 2013 CU23 SU & Schema Updating
Because with Exchange 2013 CU23 schema preparation needs to occur immediately after deploying the SU on (the first) Exchange 2013 CU23 server, a tip might be that you could deploy Exchange 2013 CU23 Management Tools on a workstation, install the SU on that workstation, then run the PrepareSchema from there before deploying the SU on any Exchange 2013 CU23 server.

This might also be helpful in multi-domain organizations, or organizations where AD and Exchange are managed by different teams or require separate changes. Note that performing the schema update this way requires Visual C++ 2012 Runtime, otherwise you will run into a “Exchange Server setup didn’t complete the operation” and the ExchangeSetup.log will contain “Could not load file or assembly ‘Microsoft.Exchange.CabUtility.dll”.

Security Updates Exchange 2013-2019 (May2021)

Posted on May 11, 2021 by Michel de Rooij

Another month, another Patch Tuesday! A quick blog on May’s security updates for Exchange Server 2013 up to 2019.

These fixes address the following vulnerabilities:

Vulnerability	Category	Severity	Rating
CVE-2021-31209	Spoofing	Important	CVSS:3.0 6.5 / 5.7
CVE-2021-31207	Security Feature Bypass	Moderate	CVSS:3.0 6.6 / 5.8
CVE-2021-31198	Remote Code Execution	Important	CVSS:3.0 7.8 / 6.8
CVE-2021-31195	Remote Code Execution	Important	CVSS:3.0 6.5 / 5.7

These vulnerabilities can be fixed by single security update for Exchange, which you can find below:

Exchange	Download	Build	KB	Supersedes
Exchange 2019 CU9	Download	15.2.858.12	KB5 003435	KB5001779
Exchange 2019 CU8	Download	15.2.792.15	KB5 003435	KB5001779
Exchange 2016 CU20	Download	15.1.2242.10	KB5 003435	KB5001779
Exchange 2016 CU19	Download	15.1.2176.14	KB5 003435	KB5001779
Exchange 2013 CU23	Download	15.0.1497.18	KB5 003435	KB5001779

More detailed information can be found at the original blog post here, which also mentions some known issues and workarounds which you might encounter after deploying these updates.

Also, run the Security Update from an elevated command prompt, to prevent issues during installation (other words: Do not just double-click on the .MSP file). And on a final note, as with any patch or update, I’d recommend to apply this in a acceptance environment first, prior to implementing it in production. However, it is not recommended to wait for regular maintenance cycles when it concerns security updates, and follow a more agile approach. The rating implies a form of urgency.

Tagging External Messages

Posted on May 5, 2021 by Michel de Rooij

Two years ago, I posted a blog on how to implement Transport Rules in Microsoft Exchange to flag messages originating from outside the organization. Goal is to aid end users in identifying messages originating from outside of the organization, by displaying tags in the subject or body part of received messages. This to make them aware – and hopefully more cautious – when it comes to clicking links or opening attachments. Downside of this method is that every inbound message gets a bit cluttered in their subject or body with tags and notifications, which becomes more evident when replying back and forth to external messages. Back then, I already stated a sort of MailTip would be a more preferable and elegant solution.

Onward to 2021, where tagging of external messages became a generally available feature in March for Exchange Online (MC243047, announcement), when used together with Outlook for Web Access (OWA), Outlook for Mac, Outlook Mobile. Outlook for Desktop will also receive support for the feature (supported per version 2105 build 14026.20000, InsiderFast currently). To start adopting this tagging mechanism for new messages, organizations need to deploy an organization level setting using Set-ExternalInOutlook, e.g.

Set-ExternalInOutlook -Enabled $True -AllowList 'contoso.com'

This will enable the tagging of external messages in your tenant, except for domains or e-mail addresses which have been specified through the AllowList. In the example above, messages from contoso.com senders will bypass tagging. The AllowList is limited to 30 entries or 1 kB, whichever comes first. You can reconfigure the AllowList through the hashtable method, e.g.

Set-ExternalInOutlook –AllowList @{Add='fabrikam.com','john@wingtiptoys.com'; Remove='contoso.com'}

After configuring Set-ExternalInOutlook, tagging is not immediate and can take a short while to become active. To inspect current settings, run Get-ExternalInOutlook.

How tagged mail is presented depends on the client. For example, Outlook for Web Access displays an ‘External’ label in the message list, as well as a MailTip at the top of the e-mail contents:

Same goes for Outlook Mobile, where the message list as well as the message view will show an indicator:

Outlook for Desktop
However, Outlook for Desktop does not present a label in the message list, nor exposes a field to filter those external messages, only displaying a MailTip after opening the message:

So, people almost started asking right away if it was not possible to expose External information in the message list. Well, with a little help of “Oldskool” Outlook and forms customization, this is possible, and here is how:

First, we need information related to the MAPI attribute. As the field is not by default available in Outlook, we need to know some of its properties to define it later on. As mention in some of the documents, or Glen Scales’ article on how to identify messages using Graph or Exchange Web Services, the MAPI property tag is 41F28F13-83F4-4114-A584-EEDB5A6B0BFF and its name is IsExternalSender.

Next, we need to construct a .CFG file where we will define the property we want to expose. I’ve already done this part for you, and you can download IsExternalSender.cfg from GitHub. Also download the two .ico files and put them in the same folder as the .cfg file. Note that those .ico files only represent the form. Alternatively, you can copy the .cfg file to your Personal Forms Library folder and skip installing, but this way the instruction is a bit simpler, allows you to pick the Folder Forms Library and will skip the elevated access dialog as the Personal Forms Library is a protected folder.

Open Outlook, go to File > Options > Advanced and click the Custom Forms button. There, click Manage Forms. By default, the form is installed in your Personal Folder Library. You can also pick a mailbox to store the form, allowing it to roam together with the view changes we will perform later. Click Install and pick the prepared .cfg file you downloaded from GitHub, and the following dialog should be shown:

Click OK to confirm you want to load the information in the form file in your personal forms library and close the Forms Manager. Going back to the Outlook navigation view, you can now add an IsExternalSender field to the message list. Right-click the field header and select Field Chooser. In the drop-down list, select Forms.., and add External Tagging Form to the Selected Forms. Field Chooser should now display an available field named IsExternalSender, which you can add to your current view using drag & drop.

Note that the .cfg defines the IsExternalSender as Boolean and showing it as an Icon. This means that for External messages, the column IsExternalSender will contain a checkbox:

When you want, you can create custom fields to adjust how the information is presented. For example, you can create a custom field using a formula to display [EXTERNAL] for IsExternalSender messages, which might be more usable in certain views instead of the checkbox. To accomplish this, select New in Field Chooser,and create a field named ExternalTag, type Formula and enter the following formula:

iif([IsExternalSender]=-1,"[EXTERNAL]","")

You can then add the ExternalTag field to Compact View. Do note the text takes up a row in Compact view, thus might replace sender or the subject depending on layout and field order.

On a final note, when wanted you can filter, sort or create Search Folders using the new IsExternalSender field.

Exchange On-Premises
Organizations running Exchange Hybrid, routing inbound messages through Exchange Online, are not able to benefit from external e-mail tagging. IsSenderExternal is only stamped on messages destined for mailboxes in Exchange Online. These organizations have therefor no way to identify these messages landing in their Exchange on-premises environment, and may require them to deploy the less elegant Transport Rules solution regardless.

Security Update Exchange 2013-2019 (Apr2021)

Posted on April 13, 2021 by Michel de Rooij

15Apr2021: Added note about Pwn2Own vulnerabilities not being addressed by these updates.

A quick blog on April’s security updates for Exchange Server 2013 up to 2019. Details regarding these vulnerabilities are confidential, but organizations are recommended to install these updates based on their rating. With patching procedures still fresh in everyone’s memory, and every Exchange on-premises server being current after the Hafnium issues, that should not be a problem, right?

The fixes address the following Remote Code Execution vulnerabilities:

Vulnerability	Severity	Rating
CVE-2021-28483	Critical	CVSS:3.0 9.0 / 7.8
CVE-2021-28482	High	CVSS:3.0 8.8 / 7.7
CVE-2021-28481	Critical	CVSS:3.0 9.8 / 8.5
CVE-2021-28480	Critical	CVSS:3.0 9.8 / 8.5

More detailed information can be found at the original blog post here. Note that the recently discovered at the Pwn2Own 2021 contest are not (yet) addressed by these updates, according to this blog by the contest organizers.

The exploit can be fixed by single security update, which you can find below.

Exchange	Download	Build	KB	Supersedes
Exchange 2019 CU9	Download	15.2.858.10	KB5001779
Exchange 2019 CU8	Download	15.2.792.13	KB5001779
Exchange 2016 CU20	Download	15.1.2242.8	KB5001779
Exchange 2016 CU19	Download	15.1.2176.12	KB5001779
Exchange 2013 CU23	Download	15.0.1497.15	KB5001779

Be advised that these security updates are Cumulative Update level specific. You cannot apply the update for Exchange 2016 CU20 to Exchange 2016 CU19. Also, the security update download has the same name for different Cumulative Updates, and I would suggest tagging the file name with the CU level, e.g. Exchange2019-CU9-KB5001779-x64-en.msp.

Security Update Exchange 2010-2019 (Mar2021)

Posted on March 2, 2021 by Michel de Rooij

Update 16Mar2021: Added One-Click tool reference.

Another month, another set of security updates for Exchange Server 2016 and 2019, including out-of-band updates for Exchange 2013 CU23 and Exchange 2010 SP3 (Rollup 32). Given the risk of this vulnerability, security updates for older out-of-support CUs (Ex2016 CU8 was released December 2017) were also made available. According to the related Exchange team blo g, these exploits are seen being used as part of an attack chain. After publication of this vulnerability named Hafnium, proof of concept kits were published after which variations started to appear (e.g. DearCry). Needless to say, the security update is critical and deployment should not be postponed – intermediate mitigations (with consequences) are also available.

These fixes address the following Remote Code Execution vulnerabilities:

Exchange 2013/2016/2019
Exchange 2010/2013/2016/2019
- CVE-2021-26857

The exploit can be fixed by security update, or in case of Exchange 2010 SP3 by applying a Rollup, which you can find in the table below per current Exchange version. Microsoft published security updates for older CUs as well on March 8th; these have been added to the table below.

Exchange Build	Download	Build	Article	Supersedes
Exchange 2019 CU8	Download	15.2.792.10	KB5000871	KB4602269
Exchange 2019 CU7	Download	15.2.721.13	KB5000871	KB4602269
Exchange 2016 CU19	Download	15.1.2176.9	KB5000871	KB4602269
Exchange 2016 CU18	Download	15.1.2106.13	KB5000871	KB4602269
Exchange 2013 CU23	Download	15.0.1497.12	KB5000871	KB4593466
Exchange 2010 SP3 RU32	Download	14.3.513.0	KB5000978
Exchange 2019 CU6	Download	15.2.659.12	KB5000871
Exchange 2019 CU5	Download	15.2.595.8	KB5000871
Exchange 2019 CU4	Download	15.2.529.13	KB5000871
Exchange 2019 CU3	Download	15.2.464.15	KB5000871
Exchange 2019 CU2	Download	15.2.397.11	KB5000871
Exchange 2019 CU1	Download	15.2.330.11	KB5000871
Exchange 2019 RTM	Download	15.2.221.18	KB5000871
Exchange 2016 CU17	Download	15.1.2044.13	KB5000871
Exchange 2016 CU16	Download	15.1.1979.8	KB5000871
Exchange 2016 CU15	Download	15.1.1913.12	KB5000871
Exchange 2016 CU14	Download	15.1.1847.12	KB5000871
Exchange 2016 CU13	Download	15.1.1779.8	KB5000871
Exchange 2016 CU12	Download	15.1.1713.10	KB5000871
Exchange 2016 CU11	Download	15.1.1591.18	KB5000871
Exchange 2016 CU10	Download	15.1.1531.12	KB5000871
Exchange 2016 CU9	Download	15.1.1466.16	KB5000871
Exchange 2016 CU8	Download	15.1.1415.10	KB5000871
Exchange 2013 CU22	Download	15.0.1473.6	KB5000871
Exchange 2013 CU21	Download	15.0.1395.12	KB5000871

Notes:

You may not be prompted for a reboot, but one is required.
When manually installing the update use an elevated command prompt, don’t just double-click the .msp. To apply an .msp from an elevated prompt, e.g. msiexec.exe /p <Full Path to File>.
When you need to update to a more current Cumulative Update first, update using an elevated command prompt, e.g. setup.exe /m:upgrade /IAcceptExchangeServerLicenseTerms
Per product group feedback, Exchange 2010 is not vulnerable to the same attack chain as Exchange 2013/2016/2019, hence the Rollup mentioning a single CVE.
When running product levels earlier than the ones patched, i.e. Exchange 2016 CU17, you are at risk. There are no patches for earlier product levels, so you need to update to a recent CU after which you can install the security update.
When installing a recent CU first in order to be able to install the security update, reboot after installing the CU, then install the security update. This prevents issues caused by files being locked or updating files pending replacement during reboot.
When you are significantly behind regarding keeping your Exchange servers up to date, the blog Upgrade Paths for CU’s and .NET might help in determining an update strategy.
The statement to stay up to date with at most CU n-1 is not some random adage; apart from features and fixes, it also allows you to quickly respond to these type of emergencies.
Make sure you have configured proper Anti-Virus/Malware exclusions for Exchange server, as documented here for Exchange 2016/2019. I’ve seen significant delays or even hangs during setup of Cumulative Updates because of paths and processes not being excluded. When running Exchange virtually, any I/O inspection running on top of your hypervisor is also considered anti-virus/malware software, such as Trend Micro Deep Inspection on VMWare.
When deploying CU(n) on top of CU(n-1) when an interim update already has been installed, it is recommended to uninstall the IU prior to deploying CU(n). While it might go through, an abort is likely with mention of detecting an IU (INTERIMUPDATEDETECTED) in Exchange Setup log.
Security Updates are Cumulative Update level specific. You cannot apply the update for Exchange 2016 CU18 to Exchange 2016 CU19. Note that the security update file has the same name for different Cumulative Updates; I would suggest tagging the file name with the CU level, e.g. Exchange2016-CU18-KB5000871-x64-en.msp.
The publication of security updates for some older CUs does not remove the necessity to update and patch with current CUs.

Indicators & Action
You may want to look for signs that your Exchange server might have been compromised (Indicators of Compromise or IOC). The article HAFNIUM targeting Exchange Servers with 0-day exploits explains this process. A tool is available to assist in scanning systems for indicators, the Microsoft Support Emergency Response Tool (MSERT).

There is also official communication to support this update, including steps to remediate issues with updates and steps to perform analysis (many people overlook the recommendation to run the update elevated for some reason). This deck can be found here: March 2021 Exchange Server Security Update – v1.2.65 – EN.pdf (thanks Chris Lehr).

Mitigations
I would also recommend the official follow-up post, which not only has been updated since the original post, but also includes mitigations for organizations which cannot deploy the update yet:

A script to configure IIS rewrite rules to block cookies used in the attack (mitigates CVE-2021-26855).
Disabling UM Services (mitigates CVE-2021-26857).
Disabling ECP application pool (mitigates CVE-2021-27065).
Disabling OAB application pool (addresses CVE-2021-26858).

Needless to say, steps like disabling ECP or OAB impacts client functionality.

MS published a One-Click Microsoft Exchange On-Premises Mitigation Tool for simplified one-click implementation of mitigation measures on Exchange 2013-2019.

Finally
Since some people are discovering artifacts of HAFNIUM dating before Microsoft’s official communication, people have been wondering how long this has been going on. For those interested, Krebson Security has published an article with a concise timeline of the events related to this attack.

Security Recommendation Exchange 2016-2019

Posted on February 26, 2021 by Michel de Rooij

A quick blog on an updated security publication for Exchange Server 2016 and 2019. This publication addresses the following vulnerability:

CVE-2021-1730: Microsoft Exchange Server Spoofing Vulnerability

A spoofing vulnerability exists in Microsoft Exchange Server which could result in an attack that would allow a malicious actor to impersonate the user.

As mentioned in the CVE report, this vulnerability can be mitigated in Exchange 2016 and Exchange 2019 by implementing a separate namespace for inline images. These images are served when using Outlook Web Access. Since I never see customers implementing this option, I will repeat these steps below to bring this to your attention.

First, pick a namespace to serve these images from, e.g. img.mail.contoso.com. Create a CNAME for this entry in the DNS, and point it to your OWA namespace, for example img.mail.contoso.com. Add this namespace to your existing SSL certificate (SAN) unless you are using a wildcard certificate and the chosen namespace is covered by it.

Next, configure the InternalDownloadHostName and ExternalDownloadHostName properties from OWAVirtualDirectory configuration, e.g.

Get-OwaVirtualDirectory | Set-OwaVirtualDirectory -ExternalDownloadHostName img.mail.contoso.com -InternalDownloadHostName img.mail.contoso.com

Configure the Exchange organization to use download domains:

Set-OrganizationConfig -EnableDownloadDomains $true

Finally, restart IIS or recycle the OWA application pool using Restart-WebAppPool MSExchangeOWAAppPool.

Security Update Exchange 2016-2019 (Feb2021)

Posted on February 10, 2021 by Michel de Rooij

A quick blog on security updates for Exchange Server 2016 and 2019. These fixes address the following vulnerability:

CVE-2021-24085: Microsoft Exchange Server Spoofing Vulnerability

The exploit can be fixed by single security update, which you can find in the table below per current Exchange version.

Exchange	Download	Build	KB	Supersedes
Exchange 2019 CU8	Download	15.2.792.5	KB4602269	KB4593465
Exchange 2019 CU7	Download	15.2.721.8	KB4602269	KB4593465
Exchange 2016 CU19	Download	15.1.2176.4	KB4602269	KB4593465
Exchange 2016 CU18	Download	15.1.2106.8	KB4602269	KB4593465

Be advised that these security updates are Cumulative Update level specific. You cannot apply the update for Exchange 2016 CU17 to Exchange 2016 CU16. Also, the security update download has the same name for different Cumulative Updates, and I would suggest tagging the file name with the CU level, e.g. Exchange2019-CU6-KB4588741-x64-en.msp.

Also, run the Security Update from an elevated command prompt, to prevent issues during installation. And on a final note, as with any patch or update, I’d recommend to apply this in a acceptance environment first, prior to implementing it in production.

Security Updates Exchange 2010-2019 (Dec2020)

Posted on December 8, 2020 by Michel de Rooij

A quick blog on security updates for Exchange Server 2013, 2016 and 2019 released December 8th. These fixes address the following vulnerability:

Exchange 2016 / 2019

CVE-2020-17117: Microsoft Exchange Remote Code Execution Vulnerability
CVE-2020-17132: Microsoft Exchange Remote Code Execution Vulnerability
CVE-2020-17141: Microsoft Exchange Remote Code Execution Vulnerability
CVE-2020-17142: Microsoft Exchange Remote Code Execution Vulnerability
CVE-2020-17143: Microsoft Exchange Information Disclosure Vulnerability

Exchange 2013

CVE-2020-17117: Microsoft Exchange Remote Code Execution Vulnerability
CVE-2020-17132: Microsoft Exchange Remote Code Execution Vulnerability
CVE-2020-17142: Microsoft Exchange Remote Code Execution Vulnerability
CVE-2020-17143: Microsoft Exchange Information Disclosure Vulnerability

Exchange 2010

CVE-2020-17144: Microsoft Exchange Remote Code Execution Vulnerability

The exploits can be fixed by single security update, which you can find in the table below per current Exchange version.

Exchange	Download	Build	KB	Supersedes
Exchange 2019 CU7	Download	15.2.721.6	KB4593465	KB4588741
Exchange 2019 CU6	Download	15.2.659.11	KB4593465	KB4588741
Exchange 2016 CU18	Download	15.1.2106.6	KB4593465	KB4588741
Exchange 2016 CU17	Download	15.1.2044.12	KB4593465	KB4588741
Exchange 2013 CU23	Download	15.0.1497.10	KB4593466
Exchange 2010 SP3 RU31	Download	14.3.509.0	KB4593467

Security Updates Exchange 2013-2019 (Nov2020)

Posted on November 10, 2020 by Michel de Rooij

A quick blog on security updates for Exchange Server 2013, 2016 and 2019 released November 10th. These fixes address the following vulnerability:

CVE-2020-17085: Microsoft Exchange Server Denial of Service Vulnerability
CVE-2020-17084: Microsoft Exchange Server Remote Code Execution Vulnerability
CVE-2020-17083: Microsoft Exchange Server Remote Code Execution Vulnerability

The exploits can be fixed by single security update, which you can find in the table below per current Exchange version.

Exchange	Download	Build	KB	Supersedes
Exchange 2019 CU7	Download	15.2.721.4	KB4588741	KB4581424
Exchange 2019 CU6	Download	15.2.659.8	KB4588741	KB4581424
Exchange 2016 CU18	Download	15.1.2106.4	KB4588741	KB4581424
Exchange 2016 CU17	Download	15.1.2044.8	KB4588741	KB4581424
Exchange 2013 CU23	Download	15.0.1497.8	KB4588741	KB4581424

Security Updates Exchange 2016-2019 (Sep2020)

Posted on September 9, 2020 by Michel de Rooij

A quick blog on security updates for Exchange Server 2016 and Exchange Server 2019 released September 8th. These fixes address the following vulnerability:

CVE-2020-16875: Exchange Memory Corruption Vulnerability
A remote code execution vulnerability exists in Microsoft Exchange server due to improper validation of cmdlet arguments. An attacker who successfully exploited the vulnerability could run arbitrary code in the context of the System user. Exploitation of the vulnerability requires an authenticated user in a certain Exchange role to be compromised. The security update addresses the vulnerability by correcting how Microsoft Exchange handles cmdlet arguments.

The exploits can be fixed by single security update, which you can find in the table below per current Exchange version.

Exchange	Download	Build	KB	Supersedes
Exchange 2019 CU6	Download	15.2.659.6	KB4577352	KB4540123
Exchange 2019 CU5	Download	15.2.595.6	KB4577352	KB4540123
Exchange 2016 CU17	Download	15.1.2044.6	KB4577352	KB4540123
Exchange 2016 CU16	Download	15.1.1979.6	KB4577352	KB4540123