Tag Archives: SU

Exchange 2016 & 2019 ESU

Posted on by
Reply

In a somewhat surprising move yesterday, Microsoft announced there will be an Extended Security Update program for Exchange Server 2016 and Exchange Server 2019. The ESU is to cater to organizations that indicate they need some more time to move away from Exchange 2016/2019. I will not comment on the fact that these organizations had a few years to get current on Exchange 2019, which would lead them to having a smooth upgrade path now to Exchange SE, or even move to Exchange Online.

Extended Security Update

You might already be familiar with ESU programs, which are common for Windows clients and Windows Server, a.o. That said, Exchange also had its share of post-lifecycle (out-of-band) updates, such as the Hafnium security updates for Exchange 2013 and even Exchange 2010. These updates were developed and made available without any obligation as some of the updates applied to products that were past their end-of-support date.

Now, the ESU program for Exchange 2016/2019 is an official extension to keep receiving published security updates for Exchange 2016/2019. To receive these, organizations can purchase a 6-month ESU for their Exchange servers. For this, they need to contact their Microsoft account manager starting August 1st, 2025. Do note that there is no guarantee that, within this period, security updates will get published, as this is entirely driven by circumstances and urgency, of course.

To make it clear: The ESU program is not an extension of support. You cannot contact support for any incident with Exchange 2016/2019 in the ESU period. That is, unless it relates to an SU that gets published during the ESU period. Thus, ESU is more for peace of mind when it comes to security, when you can live without expecting support.

The ESU period ends April 14th, 2026, 6 months after Exchange 2016 and Exchange 2019 go out of support. It is possible to get ESU after August 1st and during the 6-month ESU window. This flexibility may lead to organizations taking a gamble, waiting for SU to appear, only to get ESU when the first SU arrives. Given that corporate purchasing processes might take some time and CUs usually come with some urgency to implement, this is not something I would recommend.

I would also not recommend seeing this ESU window as an opportunity to take it easy. The support date stands, which is what most organizations find most important. So, keep migrating, whether to Exchange SE directly or via Exchange 2019 CU15, or to Exchange Online.

Skype for Business

Skype for Business is iņ the same boat regarding lifecycle, and also has a similar ESU program. For more information, click here.

Security Updates Exchange 2016-2019 (Nov2024)

Posted on by
Reply

NOTICE (Nov27): The SUs have been re-released. The v2 adds additional control over the X-MS-Exchange-P2FromRegexMatch header, which is set for messages with a non-RFC5322 compliant P2 FROM header. Install these on your Exchange server, also if you already deployed the v1 SU to benefit from the additional control.

The Exchange product group released November 2024 updates for Exchange Server 2016 and 2019.

The vulnerabilities addressed in these Security Updates for Exchange Server are:

VulnerabilityCategorySeverityRating
CVE-2024-49040SpoofingImportantCVSS:3.1 7.5 / 6.7

The v2 Security Updates for each supported Exchange Server build are linked below:

ExchangeDownloadBuildKBSupersedes
Exchange 2019 CU14 Download15.2.1544.14KB5044062
KB5049233		KB5036401
Exchange 2019 CU13Download15.2.1258.39KB5044062
KB5049233		KB5036402
Exchange 2016 CU23Download15.1.2507.44KB5044062
KB5049233		KB5036386

Added Features

Anti-Malware Scan Interface (AMSI) integration

The ability of products that use the Exchange Server AMSI integration to perform additional tasks on message bodies. The feature is disabled by default. You can enable it on a protocol base like Exchange Web Services or PowerShell. More information on this feature here.

Non-RFC5322 compliant header detection

Similar to the change in Exchange Online mentioned in MC886603, after installing this SU, messages with a non-compliant P2 FROM header (RFC5322) will be detected. Unlike Exchange Online, which will drop these messages, Exchange will add a header that can be used in transport rules as organizations see fit. To be compliant, organizations should ensure messages with multiple From addresses include a Sender header. More information here.

Elliptic Curve Cryptography (ECC) certificate support

ECC certificates can now be used on Edge Transport servers and bound to the POP and IMAP services. Note that unlike the previous implementation, which required enabling using New-SettingOverride, they are now configured through a registry key, i.e.

New-ItemProperty -Path "HKLM:\SOFTWARE\Microsoft\ExchangeServer\v15\Diagnostics" -Name "EnableEccCertificateSupport" -Value 1 -Type String

More information here.

Microsoft Information Protection Client (MSIPC)

MSIPC will now ne enabled by default, replacing Microsoft Digital Rights Management (MSDRM) for information rights management.

Fixed Issues

Apart from security fixes and added features, these Security Updates also correct the following issues:

Issue FixedExchange 2016Exchange 2019
Journal report decryption doesn’t decrypt attachment in journal mailboxYesYes
Error after adding support for AES256-CBC–encrypted content in August 2023 SUYesYes
Exchange can’t decrypt IRM messagesYes
Server with PowerShell_ISE doesn’t serialize when connecting to EMSYesYes
Email sent through Pickup folder displays admin versionYesYes
CSR created by Exchange are signed with outdated Encryption algorithmYesYes
OWA displays incorrect time zone for AmmanYesYes
Kazakhstan changes to single time zone in 2024YesYes
Moderated messages are marked as expired after they are approved or rejectedYes
Exchange Transport Rules and Data Loss Prevention rules don’t work after installing November 2024 SU V1YesYes

Notes

  • Security updates are Cumulative Update level specific. You cannot apply the update for Exchange 2019 CU14 to Exchange 2019 CU13. When downloading, the security update will carry the same name for different Cumulative Updates, and I suggest tagging the file name with the CU level when archiving it, e.g., Exchange2019-CU14-KBXXXXXX-x64-en.msp.
  • Like Cumulative Updates, Security Updates are cumulative, and you only need to install the latest SU for your CU.
  • If you have deployed Exchange Management Tools to manage your on-premises Exchange Servers or installed the tools after removing the Last Exchange Server for recipient management, it is recommended that you apply the Security Update. Be aware of a few cmdlet piping issues mentioned here.

On a final note, as with any patch or update, it is recommended that you apply it in a test environment before implementing it in production. However, it is not recommended to wait for regular maintenance cycles when it concerns security updates and follow a more agile approach; the ratings indicate the level of urgency.

Security Updates Exchange 2016-2019 (Mar2024)

Posted on by
5

The Exchange product group released March 2024 updates for Exchange Server 2016 and 2019.

The vulnerabilities addressed in these Security Updates for Exchange Server are:

VulnerabilityCategorySeverityRating
CVE-2024-26198Remote Code ExecutionImportantCVSS:3.1 8.8 / 7.7

The Security Updates for each supported Exchange Server build are linked below:

ExchangeDownloadBuildKBSupersedes
Exchange 2019 CU14Download15.2.1544.9KB5036401KB5032146
Exchange 2019 CU13Download15.2.1258.32KB5036402KB5032146
Exchange 2016 CU23Download15.1.2507.37KB5036386KB5032147

OutsideInModule

Be advised that these security updates will disable Oracle Outside In Technology (OIT). Security issues have been discovered in this embedded third-party package (ADV24199947). The consequence of disabling these is that text can no longer be extracted from JPG, TIFF, and AutoCAD files for usage in Exchange Transport Rules or Data Loss Prevention rules. More information is here.

Fixed Issues

Apart from security fixes, these Security Updates also correct the following issues:

Issue FixedExchange 2016Exchange 2019
EWS search request displays inaccurate resultsYesYes

Notes

  • Security updates are Cumulative Update level specific. You cannot apply the update for Exchange 2019 CU14 to Exchange 2019 CU13. When downloading, the security update will carry the same name for different Cumulative Updates, and I would suggest tagging the file name with the CU level when archiving it, e.g., Exchange2019-CU13-KBXXXXXX-x64-en.msp.
  • Similar to Cumulative Updates, Security Updates are cumulative, and you only need to install the latest SU for your CU.
  • If you have deployed Exchange Management Tools to manage your on-premises Exchange Servers or installed the tools after removal of the Last Exchange Server for recipient management, it is recommended to apply the Security Update. Be aware of few cmdlet piping issues mentioned here.

On a final note, as with any patch or update, it is recommended to apply this in a test environment first prior to implementing it in production. However, it is not recommended to wait for regular maintenance cycles when it concerns security updates and follow a more agile approach; the ratings are an indication of the urgency.

Security Updates Exchange 2016-2019 (Nov2023)

Posted on by
Reply

The Exchange product group released November updates for Exchange Server 2016 and 2019.

The vulnerabilities addressed in these Security Updates for Exchange Server are:

VulnerabilityCategorySeverityRating
CVE-2023-36439Remote Code ExecutionImportantCVSS:3.1 8.0 / 7.0
CVE-2023-36050Spoofing ImportantCVSS:3.1 8.0 / 7.0
CVE-2023-36039Spoofing ImportantCVSS:3.1 8.0 / 7.0
CVE-2023-36035SpoofingImportantCVSS:3.1 8.0 / 7.0

The Security Updates for each supported Exchange Server build are linked below:

ExchangeDownloadBuildKBSupersedes
Exchange 2019 CU13Download15.2.1258.28KB5032146KB5030877
Exchange 2019 CU12Download15.2.1118.40KB5032146KB5030877
Exchange 2016 CU23Download15.1.2507.35KB5032147KB5030877

Payload Serialization Signing

Be advised that these updates will enable payload signing by default. Payload serialization signing signs PowerShell payloads to identify possible tampering. Support for certificate-based signing of PowerShell serialization payloads got added with January security updates and is a per-server configuration. In other words, make sure you have deployed the January security updates before implementing these security updates, so your Exchange servers support payload signing before you can enable it one server at a time.

More info on the topic here. The process is explained at https://aka.ms/HC-SerializedDataSigning. To verify or configure signing, use the script published here or follow the manual steps. Signing leverages the organization-wide available Exchange Auth Certificate, which needs to be present and valid; the MonitorExchangeAuthCertificate.ps1 script can help you verify this.

Fixed Issues

Apart from security fixes, these Security Updates also correct the following issues:

Issue FixedExchange 2016Exchange 2019
Signing of the serialisation payload fails to run the few cmdletsYesYes
Unable to migrate mailbox as communication error parameter exception occursYesYes
InvalidResponseException when you try to run Export-UMPromptYes

Notes

  • Security updates are Cumulative Update level specific. You cannot apply the update for Exchange 2019 CU13 to Exchange 2019 CU12. When downloading, the security update will carry the same name for different Cumulative Updates, and I would suggest tagging the file name with the CU level when archiving it, e.g., Exchange2019-CU13-KBXXXXXX-x64-en.msp.
  • Similar to Cumulative Updates, Security Updates are cumulative, and you only need to install the latest SU for your CU.
  • If you have deployed Exchange Management Tools to manage your on-premises Exchange Servers or installed the tools after removal of the Last Exchange Server for recipient management, it is recommended to apply the Security Update. Be aware of few cmdlet piping issues mentioned here.

On a final note, as with any patch or update, it is recommended to apply this in a test environment first prior to implementing it in production. However, it is not recommended to wait for regular maintenance cycles when it concerns security updates and follow a more agile approach; the ratings are an indication of the urgency.

Security Updates Exchange 2016-2019 (Oct2023)

Posted on by
1

The Exchange product group released October updates for Exchange Server 2016 and 2019.

The vulnerabilities addressed in these Security Updates for Exchange Server are:

VulnerabilityCategorySeverityRating
CVE-2023-36726Elevation of PrivilegeImportantCVSS:3.1 7.8 / 6.8
CVE-2023-36780Remote Code ExecutionImportantCVSS:3.1 7.2 / 6.3
CVE-2023-36778Remote Code ExecutionImportantCVSS:3.1 8.0 / 7.0

The Security Updates for each supported Exchange Server build are linked below:

ExchangeDownloadBuildKBSupersedes
Exchange 2019 CU13Download15.2.1258.27KB5030877KB5030524
Exchange 2019 CU12Download15.2.1118.39KB5030877KB5030524
Exchange 2016 CU23Download15.1.2507.34KB5030877KB5030524

TokenCacheModule

The recommendation for the August updates was to disable the TokenCacheModule in IIS to mitigate an Elevation of Privilege issue in IIS. That issue is fixed with a Windows update for CVE-2023-36434. Thus, after installing this update for IIS, it is no longer recommended to disable TokenCacheModule. When you have disabled it after installing the August 2023 updates, you can enable it again using New-WebGlobalModule -Name "TokenCacheModule" -Image "%windir%\System32\inetsrv\cachtokn.dll", or use the CVE-2023-21709.ps1 script specifying the -Rollback switch to (re-)enable it on all of your Exchange servers.

Fixed Issues

Apart from security fixes, these Security Updates also correct the following issues:

Issue FixedExchange 2016Exchange 2019
Users in account forest can’t change expired password in OWA in multi-forest Exchange deployments after installing August 2023 SUYesYes
Details Templates Editor fails and returns BlockedDeserializeTypeExceptionYesYes
Extended Protection causes Outlook for Mac to fail to download the OAB (use updated Extended Protection script)YesYes

Notes

  • Security updates are Cumulative Update level specific. You cannot apply the update for Exchange 2019 CU13 to Exchange 2019 CU12. When downloading, the security update will carry the same name for different Cumulative Updates, and I would suggest tagging the file name with the CU level when archiving it, e.g., Exchange2019-CU13-KBXXXXXX-x64-en.msp.
  • Similar to Cumulative Updates, Security Updates are cumulative, and you only need to install the latest SU for your CU.
  • If you have installed the Exchange Management Tools separately for managing your on-premises Exchange Servers or installed it after removal of the Last Exchange Server for recipient management, it is recommended to apply the Security Update.

On a final note, as with any patch or update, it is recommended to apply this in a test environment first prior to implementing it in production. However, it is not recommended to wait for regular maintenance cycles when it concerns security updates and follow a more agile approach; the ratings are an indication of the urgency.