On March 2, 2021 Microsoft released a number of critical security updates for Exchange. These are not just a number of new Security Updates, but these are Security Updates for a zero-day vulnerability and as such rated as ‘critical’.
An additional problem here is that the exploit has already been detected in the wild, so all internet facing Exchange servers are vulnerable. These vulnerabilities are used as part of an attack chain. The initial attack requires the ability to make an untrusted connection to Exchange server port 443. This means that any malicious person that can access your Exchange server can try to exploit these vulnerabilities.
It is (very) strongly recommended to patch your Exchange servers immediately and not to wait until the next Cumulative Update is released. To stress the importance of this issue, Microsoft organized webcasts about this, and they were broadcasted in APAC and EMEA, most likely the Americas will follow. Handout of the webcast is available on https://aka.ms/ExOOB.
A few remarks about this issue and the Security Updates:
- All Internet facing Exchange servers are vulnerable. All versions, but it has not been detected on Exchange 2010.
- If you have a hybrid environment and the firewall is restricted to Microsoft only (so no one except Exchange Online can access your Exchange server on port 443) the urgency is lower. But the risk is still not reduced to zero.
- MFA in front of your Exchange servers does not reduce the risk since the initial attack is before MFA is triggered.
- Edge Transport servers do not use port 443, but it is still recommended to patch the Edge Transport servers as well.
- Updates are only available for the current Cumulative Updates and the one before, i.e. Exchange 2019 CU7/CU8 and Exchange 2016 CU18/19. For Exchange 2013 a Security Update is available only for Exchange 2013 CU23.
- If you are on an older version of Exchange, you must first upgrade to a supported CU of your Exchange server. If you are on a really old version of Exchange, please take the .NET Framework updates and Schema Changes into account. For an overview of the .NET Framework upgrade paths check fellow MVP Michel de Rooij’s blogpost on Upgrade Paths for CU’s & .NET | EighTwOne (821)
- Don’t wait for the next Cumulative Update, this is a really urgent issue and you must act now!
- Updates are available through Windows Update and thus WSUS. When installing manually, start from a command prompt with elevated privileges. Installation this morning took approx. 15 to 20 minutes, both on Exchange 2016 and Exchange 2019.
- When running Exchange in a Database Availability Group, put the servers in maintenance mode before installing.
- After installing the patch, reboot the server.
More information can be found on:
Zero Day Vulnerabilities Discovered in all Versions of Microsoft Exchange Server | Jaap Wesselius
Released: March 2021 Exchange Server Security Updates - Microsoft Tech Community
Multiple Security Updates Released for Exchange Server – Microsoft Security Response Center
Description of the security update for Microsoft Exchange Server 2019, 2016, and 2013: March 2, 2021 (KB5000871)
HAFNIUM targeting Exchange Servers with 0-day exploits - Microsoft Security
Exchange Security Patch: ENow can help you track your progress
Do you have numerous Exchange servers that need to be patched? Understanding the version and patch you are currently running enables you to access the security risk in your environment and ensure the patch was successfully installed. Our ENow developers put together a custom PowerShell script that can be run directly in ENow PowerShell wizard and returns back the information needed to understand what version your servers are running and if the security patch was successful (ps -don’t forget to reboot your server after applying the patch).