Last update Oct10: Added note about TokenCacheModule.
The Exchange product group released August V2 updates for Exchange Server 2016 and 2019.
The vulnerabilities addressed in these Security Updates for Exchange Server are:
| Vulnerability | Category | Severity | Rating |
|---|---|---|---|
| CVE-2023-21709* | Elevation of Privilege | Important | CVSS:3.1 9.8 / 8.5 |
| CVE-2023-38185 | Remote Code Execution | Important | CVSS:3.1 8.8 / 7.7 |
| CVE-2023-35368 | Remote Code Execution | Important | CVSS:3.1 8.8 / 7.7 |
| CVE-2023-38182 | Remote Code Execution | Important | CVSS:3.1 8.0 / 7.0 |
| CVE-2023-35388 | Remote Code Execution | Important | CVSS:3.1 8.0 / 7.0 |
| CVE-2023-38181 | Spoofing | Important | CVSS:3.1 8.8 / 7.7 |
*) Requires additional steps; See below.
The Security Updates for each supported Exchange Server build are linked below:
| Exchange | Download | Build | KB | Supersedes |
|---|---|---|---|---|
| Exchange 2019 CU13 | Download | 15.2.1258.25 | KB5030524 | KB5026261 |
| Exchange 2019 CU12 | Download | 15.2.1118.37 | KB5030524 | KB5026261 |
| Exchange 2016 CU23 | Download | 15.1.2507.32 | KB5030524 | KB5025903 |
CVE-2023-21709
CVE-2023-21709 requires additional steps, which need to be performed after installing the August updates. These steps will remove the TokenCacheModule from IIS, preventing IIS (thus implicitly Exchange) from caching security tokens for password-authenticated sessions (Anonymous, BasicAuth, and Client Certificates) at a performance penalty as every request needs to get re-authenticated. Documentation on these steps, as well as a script to implement or undo these changes, can be found here.
Update October 10: Removal of TokenCacheModule is no longer recommended, as the vulnerability has been addressed in a Windows patch, CVE-2023-36434.
AES256 in Cipher Block Chaining mode
After installing these August updates, AES256-CBC will be the default encryption mode. In order to allow decrypting of Microsoft Purview Information Protection or Active Directory Rights Management Services, additional configuration is required. If you utilize RMS with Exchange on-premises, consult the steps in this KB article.
Issue with Non-English Operating Systems
The issue with the initial release of the August 2023 SU’s has been fixed in the V2 versions. Take note of the What-if table in the August SU V2 publication on how to proceed if you already installed V1 using the workaround. TLDR;:
- If you installed V1 successfully (English OS), no action is needed, and installing V2 is optional (will only increase Exchange build numbers).
- If you installed V1 on a non-English OS with the workaround, uninstall August SU V1, restart, install August SU V2, and clean up the workaround (dummy ‘Network Service’ account)
- If you did not install V1 on a non-English OS or tried installing without success and re-enabled services using
ServiceControl.ps1 -AfterPatch, install the August SU V2 update.
Right after the release of the Security Update, reports came in from customers with failed deployments for non-English operating systems. Installing the SU failed, leaving their Exchange server in a non-functional state as Exchange-related services were disabled. After Microsoft investigated the issue, it was found the SU installer uses the textual “Network Service” security principal during configuration. This does not work in other languages, where it needs to be the localized name, e.g. Netzwerkdienst (German) or SERVICE LOCAL (French). Using the well-known SID for this service principal (S-1-5-20), or using this to look up the actual name, would be the way to address this. This is also what the workaround in the support article is basically doing:
Restore the startup state of Echange services using$exscripts\ServiceControl.ps1 AfterPatch.Creating a dummy “Network Service” account.Manually add Full Control on the ACL ofHKLM:\SOFTWARE\Microsoft\MSIPC\Serverfor the ‘real’ Network Service security principal, which is what the SU should be doing. Under this key is where licenses used for Azure Information Protection are stored.
While having a workaround helps, it is not very maintainable, which is why I expect Microsoft to publish an update for the Security Update. Also, the whole situation gives to think about the mindset of developers who apparently only test using English operating systems. With still significant on-premises Exchange presence in countries such as Germany and France, making code OS language-independent and having it tested could use improvement.
Fixed Issues
Apart from security fixes, these Security Updates also correct the following issues:
| Issue Fixed | Exchange 2016 | Exchange 2019 |
| DST settings are inaccurate after an OS update | Yes | Yes |
| Microsoft Exchange replication service repeatedly stops responding | Yes | Yes |
| Chinese coded characters aren’t supported in Exchange Admin Center | Yes | Yes |
| External email address field doesn’t display the correct username | Yes | Yes |
Notes
- Security updates are Cumulative Update level specific. You cannot apply the update for Exchange 2019 CU13 to Exchange 2019 CU12. When downloading, the security update will carry the same name for different Cumulative Updates, and I would suggest tagging the file name with the CU level when archiving it, e.g., Exchange2019-CU13-KBXXXXXX-x64-en.msp.
- Similar to Cumulative Updates, Security Updates are cumulative, and you only need to install the latest SU for your CU.
- If you have installed the Exchange Management Tools separately for managing your on-premises Exchange Servers or installed it after removal of the Last Exchange Server for recipient management, it is recommended to apply the Security Update.
On a final note, as with any patch or update, I’d recommend applying this in a test environment first prior to implementing it in production. However, it is not recommended to wait for regular maintenance cycles when it concerns security updates and follow a more agile approach; the ratings are an indication of the urgency.
