Microsoft Exchange Remote Code Execution Vulnerability Flaws and Their Fixes
Summary: Increasing attacks on Microsoft Exchange servers have become a pain point for Microsoft and businesses worldwide. Microsoft identified new vulnerabilities, which enable the threat actors to access the server, install malware, or run their programs remotely. In this guide, we discuss the Exchange server vulnerabilities and steps to safeguard the server.
On March 2, 2021, Microsoft released emergency patches and an Exchange On-Premises Mitigation Tool (EOMT) for on-premises Exchange server 2019, 2016, and 2013 to safeguard the servers against four zero-day vulnerabilities.
The threat groups, such as Hafnium, exploited ProxyLogon vulnerability to gain access to the Exchange server and installed web shells that provided access to email accounts and facilitated installing malware or ransomware on the target server. Therefore, it is critical to detect vulnerabilities and update the server with the latest cumulative and security updates.
In case you haven’t installed the latest Exchange server patches, we strongly advise you to do so immediately.
Exchange Server Vulnerability Flaws and Their Fixes
Microsoft released a new Exchange Server Health Checker PowerShell script to help Exchange administrators check if their Exchange 2019, 2016, or 2013 server is vulnerable and needs an update. The PowerShell script also enables you to find configuration issues, and performance issues, and speed up the information-gathering process. It further tells you if your server is behind Cumulative Updates (CUs) or Security Updates (SUs).
To run the script and install updates on your Exchange server, follow these steps:
Step 1: Download Exchange Server Health Checker Script
Visit Github to download the latest HealthChecker.ps1 PowerShell script release on your Exchange 2019, 2016, or 2013 server. Exchange 2010 users can download the V2 release on their servers.
Step 2: Run the Health Checker Script via Exchange Management Shell (EMS)
On your server, open the Exchange Management Shell and then navigate to the folder where you’ve downloaded the HealthChecker.ps1 PowerShell script. Then enter the following command to execute the script in default mode on the local server.
.\HealthChecker.ps1
To run the cmdlet for a specific Exchange server, execute the following command in the EMS:
.\HealthChecker.ps1 -Server EXCHSRV1
NOTE: If you see “HealthChecker.ps1 is not digitally signed. The script will not execute on the system.” error while executing the cmdlet, you can change the execution policy by using the following cmdlet in EMS.
Set-ExecutionPolicy -Scope Process -ExecutionPolicy Bypass
Type ‘Y’ and press Enter to confirm the change.
This will give you temporary permission to execute the HealthChecker.ps1 script. The script will display all the security vulnerabilities you need to patch against by installing the latest updates released by Microsoft. If you see multiple vulnerabilities, you may want to check if your Exchange server is compromised. For this, you can use the one-click Exchange On-Premises Mitigation Tool (EOMT).
Step 3: Run EOMT
To mitigate risks, check server vulnerability, and apply security updates, run the EOMT tool on your server. It also helps apply the patches. The steps are as follows:
- Download the EOMT tool and extract the folder at your desired location.
- Open EMS and then navigate to …\CSS-Exchange-main\CSS-Exchange-main\Security\src location.
- Now, enter the following cmdlet to run the EOMT tool and start the mitigation process.
.\EOMT.ps1
- It runs MSERT scan in Quick Mode and quarantines threats and web shells (found when your server is compromised).
Step 4: Download Exchange Server Updates
Follow the instructions below to download and install the updates manually on your server.
March 2021 Exchange Server Security Updates
To install the March 2021 updates, you may download the March 2021 Exchange Server Security Update. However, the April 2021 update also contains the March 21 patches.
April 2021 Exchange Server Security Updates
In April 2021, Microsoft identified 114 CVEs (Common Vulnerabilities and Exposure), including two Remote Code Execution (RCE) vulnerability flaws CVE-2021-28480 and CVE-2021-28481, before they were exploited by the attackers. The two significant RCE vulnerabilities were found and disclosed by the NSA. To cover these vulnerabilities, Microsoft released patches and advised on-premises Exchange customers to install the updates as soon as possible to ensure protection from such attacks and other threats. Microsoft released specific cumulative updates (CU) for Exchange to patch April 2021 vulnerabilities, which are as follows:
- Exchange Server 2019 CU8 and CU9
- Exchange Server 2016 CU19 and CU20
- Exchange Server 2013 CU23
May 2021 Exchange Server Security Updates
Microsoft released the May 2021 security updates to patch 55 vulnerabilities. This includes three zero-day vulnerabilities that the threat actors could have exploited. These critical CVEs are as follows:
- CVE-2021-31207
This vulnerability was found and showcased in the 2021 Pwn2Own contest. The details of the exploit will be published at some point. Threat actors can take advantage of this vulnerability to attack Exchange servers. Thus, it is critical to patch this zero-day vulnerability.
- CVE-2021-31200
It is an RCE (Remote Code Execution) vulnerability, similar to the ProxyLogon that was exploited by the Hafnium group and other threat actors back in March 2021.
- CVE-2021-31204
This an Elevation of Privilege vulnerability in .NET and Visual Studio.
The latter two are publicly disclosed vulnerabilities. Hence, it is critical to patch these vulnerabilities.
Download the May 2021 Cumulative Updates (CUs).
- Exchange Server 2013: CU23
- Exchange Server 2016: CU19 & CU20
- Exchange Server 2019: CU8 & CU9
June 2021 Exchange Server Security Updates
Microsoft released June 2021 security updates to patch 50 vulnerabilities. These include six zero-day vulnerabilities that are being exploited in the wild by threat actors. Out of all, in terms of severity, 5 vulnerabilities are considered as critical while 45 as important.
The updates are released to patch vulnerabilities found in Microsoft Windows, Microsoft Edge, .NET Core and Visual Studio, Microsoft Office, Hyper-V, Visual Studio Code – Kubernetes Tools, SharePoint Server, Windows Remote Desktop, and Windows HTML Platform.
The zero-day vulnerabilities that are exploited in the wild (now patched in June updates) are:
- CVE-2021-33742 (Critical, CVSS* 7.5)
Windows MSHTML Platform Remote Code Execution Vulnerability.
- CVE-2021-31201 (Important, CVSS 5.2)
Microsoft Enhanced Cryptographic Provider Elevation of Privilege Vulnerability, CVSS 5.2.
- CVE-2021-31955 (Important, CVSS 5.5)
Windows Kernel Information Disclosure Vulnerability, CVSS 5.5.
- CVE-2021-31956 (Important, CVSS 7.8)
Windows NTFS Elevation of Privilege Vulnerability, CVSS 7.8.
- CVE-2021-33739 (Important, CVSS 8.4)
Microsoft DWM Core Library Elevation of Privilege Vulnerability.
- CVE-2021-31199 (Important, CVSS 5.2)
Microsoft Enhanced Cryptographic Provider Elevation of Privilege Vulnerability, CVSS 5.2.
- CVE-2021-31968 (Not Exploited, CVSS 7.5)
Windows Remote Desktop Services Denial of Service Vulnerability
*CVSS: Common Vulnerability Scoring System.
[Update] June 2021 Cumulative Updates for Exchange Server
Microsoft has released the quarterly Cumulative Updates (CUs) for Exchange Server 2016 and 2019. The CUs bring fixes to the issues reported by the customers, new security features, and security updates. The CUs also include the Antimalware Scan Interface or AMSI (exists in Windows Server 2016 and 2019) integration with Exchange Server 2016 and Exchange server 2019 to make servers more secure.
The AMSI integration in Exchange Server aims to provide real-time antivirus and antimalware scan ability to block malicious requests before they reached the Exchange Server. This will enable the automatic mitigation and protect your Exchange servers from malicious attacks.
Following are the June 2021 Cumulative Updates (CUs) for Exchange Server 2016 and Exchange Server 2019 that you can download.
- Exchange Server 2019 Cumulative Update 10
- KB5003612
- VLSC Download
- Download
- Exchange Server 2016 Cumulative Update 21
- KB5003611
- Download
- UM Lang Packs
July 2021 Exchange Server Security Updates
Microsoft released July 2021 Exchange Server security updates to patch new vulnerabilities reported by the Microsoft team, security groups, and partners. Although there is no information if any vulnerability is being exploited in the wild, Microsoft recommends installing these updates immediately to safeguard the Exchange Server against malicious attacks.
These vulnerabilities affects the on-premises version of Exchange Server 2013, 2016, and 2019. The July 2021 updates for Exchange Server are as follows:
- Exchange Server 2013 CU23
- Exchange Server 2016 CU20 and CU21
- Exchange Server 2019 CU9 and CU10
After downloading the updates, you can follow the steps below to install the July 2021 security updates.
However, this time, you also need to perform additional steps after installing the Exchange security updates. These steps are as follows:
- In Exchange 2019 CU9 and Exchange 2016 CU20, extend the schema using June 2021 CUs.
- In Exchange Server 2013 CU23, install the July 2021 updates and then extend the AD Schema using the following command:
Setup.exe /PrepareSchema /IAcceptExchangeServerLicenseTerms” using the setup.exe from location “c:\Program Files\Microsoft\Exchange Server\V15\Bin\setup.exe”
September 2021 Exchange Server Security Updates
Cyberattacks on on-premises Exchange servers continue to increase even after Microsoft has released patches for three major ‘proxy’ (authentication bypass) flaws. The attacks are now more sophisticated, and thus, it’s critical to keep your on-premises Exchange Servers updated.
However, updating servers requires a lot of time and resources. But this is a continuous process. So even if you have updated your Exchange servers to July 2021 updates, installing September 2021 is critical to prevent HAFNIUM-level attacks.
The process of updating Exchange Servers remains the same. Before installing the updates as discussed in this blog, you must run the health checker script and Exchange On-Premises Mitigation Tool (EOMT).
Most importantly, Microsoft has also released a new Emergency Mitigation (EM), an emergency server mitigation tool with September 2021 quarterly Cumulative Updates (CUs) to help businesses that are slow or take time to patch their server.
The tool detects vulnerable Exchange Servers and applies temporary mitigations (pre-configured settings) to protect Exchange servers against various known threats. The EM tool is automatically installed with September 2021 or later CU released for Exchange 2016 and 2019 servers with Mailbox role.
- Download Exchange Server 2016 Cumulative Update 22
- Download Exchange Server 2019 Cumulative Update 11
After downloading the updates, you can follow the steps below to install the latest security and cumulative updates released by Microsoft.
October 2021 Exchange Server Security Updates
Microsoft released several Security Updates (SUs) for the on-premises Exchange Server to patch critical vulnerabilities. It is recommended that organizations apply the October 2021 Exchange Server Security Updates immediately to protect their Exchange environment.
Microsoft has released October 2021 SUs for the following Exchange Server versions,
- Exchange Server 2013 (CU23)
- Exchange Server 2016 (CU21, CU22)
- Exchange Server 2019 (CU10, CU11)
Exchange 2010 is no more supported.
If your Exchange Server is not running on the supported Cumulative Update (CU) version, we recommend you upgrade immediately and apply October 2021 security updates. Follow this guide to upgrade Exchange Server with the latest CU version.
Currently, there is no information of any active exploitation of vulnerabilities in the wild that are addressed in October 2021. However, you should update your servers immediately to prevent any malicious attacks.
November 2021 Exchange Server Security Updates
Microsoft has released important Security Updates containing patches to fix 55 critical bugs, including six zero-day vulnerabilities mainly affecting the Exchange Server 2016 and 2019 versions. The updates have been rolled out for the following Exchange Server builds,
- Exchange Server 2013 CU23
- Exchange Server 2016 CU21 and CU22
- Exchange Server 2019 CU10 and CU11
If your Exchange Server is running on an older Cumulative Update (CU), it is highly recommended to upgrade the server to the latest builds and then apply the November 2021 Security Updates. You can’t install November 2021 updates on an older, or unsupported Exchange Server build.
Microsoft has confirmed limited, targeted attacks in the wild exploiting CVE-2021-42321—Post-Authentication RCE vulnerability—found in Exchange 2016 and 2019.
Update your servers immediately to patch these vulnerabilities and safeguard your servers.
December 2021 Exchange Server Cumulative Updates
Quarterly Cumulative Updates (CUs) for Microsoft Exchange Server were supposed to be released in December 2021. However, Microsoft informed in a blog post that they will not be releasing any Cumulative Updates scheduled for Exchange Server 2013, 2016, or 2019 in December 2021. Microsoft urged their customers to keep their servers updated to the latest Cumulative and Security Updates to safeguard servers against malicious attacks.
January 2023 Exchange Server Security Updates
Microsoft released January 2023 security updates for on-premises Exchange Server 2013, 2016, and 2019 on this year’s first Patch Tuesday. The updates patches following Remote Code Execution (RCE) vulnerabilities reported by Microsoft’s team and their security researcher partners.
- CVE-2023-21846
- CVE-2023-21855
- CVE-2023-21969
There haven’t been any reports of any active exploits in the wild. However, you should immediately install these security updates to patch your Exchange Server and protect your organization.
The updates can be applied to the following on-premises Exchange Server builds, including those in Exchange Hybrid mode.
- Exchange Server 2013 CU23
- Exchange Server 2016 CU21 and CU22
- Exchange Server 2019 CU10 and CU11
If your Exchange Server is running on earlier CU, update t the supported CU and then install the January 2023 security updates by following the steps discussed below.
March 2023 Exchange Server Security Updates
Microsoft has released new Security Updates (SUs) for the on-premises and hybrid Exchange Servers to resolve vulnerabilities found in Exchange Server 2013, 2016, and 2019.
March 2023 SUs are released for the following Exchange Server builds,
- Exchange Server 2013 CU23
- Exchange Server 2016 CU21 and CU22
- Exchange Server 2019 CU10 and CU11
Exchange 2010 is no more supported. If you are running a lower CU, it is recommended that you upgrade to the latest CU to continue receiving Security updates.
According to Microsoft, there are no reports of any active exploits in the wild. However, it is highly recommended that you apply March 2023 Exchange Server Security Updates immediately to protect your organization from potential malicious attacks.
IMPORTANT NOTE: If you experience an error while installing the Security updates, use SetupAssist Script. For more information, refer to this Microsoft Team blog.
April 2023 Cumulative Updates Released for Exchange Server 2016 and 2019
Microsoft recently announced the release of Exchange Server 2016 and Exchange Server 2019 Cumulative Updates (CUs). It also revised the servicing model from four (Q1, Q2, Q3, & Q4) quarterly releases to two (H1 & H2) half-yearly releases.
The H1 release includes Cumulative Updates for Exchange 2016 CU23 and Exchange 2019 CU12. The H2 update will be released after 6-months for only Exchange 2019. Microsoft has ended the mainstream support for Exchange 2016 with the CU23 release.
You can download the CU23 and CU12 for Exchange 2016 and 2019, respectively, using the following links,
- Exchange Server 2019 CU12
- Exchange Server 2016 CU23 | CU23 UM Language Packs
Before you install the CU, update the following and create a backup,
- Microsoft .NET 4.8 framework
- Visual C++ Redistributable Package for Visual Studio 2013
May 2023 Exchange Server Security Update Released
Microsoft has released new Security Updates (SUs) for the on-premises and hybrid Exchange Servers on May 10, 2023, to resolve vulnerabilities reported by security partners and the internal processes. Although there are no reports of any active exploitation yet, it’s highly suggested that you install the May 2023 Security Updates immediately to safeguard your organization from malicious attacks.
The May 2023 Security Updates are released for the following Exchange Server builds:
- Exchange Server 2013 CU23
- Exchange Server 2016 CU22 and CU23
- Exchange Server 2019 CU11 and CU12
The May 2023 Security Update is more critical as it patches the following vulnerability rated as important with a CVSS v3 score of 8.2 —indicating high severity.
CVE-2023-21978 — A Microsoft Exchange Server Elevation of Privilege vulnerability. Attackers can use the vulnerability to elevate themselves to Domain Administrators. However, the attacker must be an authenticated user or member of a highly privileged group to exploit the vulnerability.
For installation, you can follow the steps given below.
Also, after installing the May 2023 Security Update, you must execute the following command to strengthen security.
- Open Command Prompt as administrator.
- In the elevated Command Prompt window, use the cd command to navigate to the Bin folder location. For instance,
cd C:\Program Files\Microsoft\Exchange Server\Vxx\Bin
- In Exchange 2016 CU22 and CU23 or Exchange Server 2019 CU11 and CU12, run the following command,
Setup.exe /IAcceptExchangeServerLicenseTerms_DiagnosticDataOFF /PrepareAllDomains
- In Exchange 2013 CU23, run the following command,
Setup.exe /IAcceptExchangeServerLicenseTerms /PrepareAllDomains
If your organization is running on an older version, upgrade to the supported CU and install the May 2023 Security Updates. Follow our guide on upgrading Exchange Server 2013/2016/2019 Cumulative Updates.
August 2023 Exchange Server Security Updates
After two months gap, Microsoft has finally released new Security Updates to patch vulnerabilities and bugs found in Microsoft Exchange Server 2013, Exchange Server 2016, and Exchange Server 2019.
These updates are special as you (admins) need to enable the Windows Extended Protection or WEP on the Exchange Servers using the script provided by Microsoft. You can download the latest version of the script from here.
Make sure to refer to the documentation to completely understand the WEP pre-requisites and issues before running the script on your server. The script will enable the feature automatically and relaunch.
To install the August 2023 Security Updates on your Exchange Server, download the SUs for the following Cumulative Updates (CUs). If you are running on a lower CU, make sure to upgrade it immediately and then install the August 2023 SUs.
- Exchange Server 2013 CU23.
- Exchange Server 2016 CU22 and CU23.
- Exchange Server 2019 CU11 and CU12.
Microsoft now provides SUs in self-extracting packages. Download the updates and install them as any other program.
However, you still need to run the /PrepareAllDomains after installing the August 2023 SU.
To learn more about the vulnerabilities and bugs fixed by the August 2023 Security updates, refer to the MSRC.
October 2023 Exchange Server Security Updates
Microsoft has recently released several new Security Updates (SUs) to address and patch vulnerabilities reported by security partners and Microsoft’s internal processes in Microsoft Exchange Server 2013, Exchange Server 2016, and Exchange Server 2019.
- Exchange Server 2013 (CU23)
- Exchange Server 2016 (CU22, CU23)
- Exchange Server 2019 (CU11, CU12)
NOTE: Run the script to enable the Windows Extended Protection as it’s required to install August 2023 and later updates. If you have already installed the August 2023 patches, you don’t need to run the script again.
If you are running on a lower Cumulative Update (CU), make sure to upgrade your servers immediately to the supported CU and then install the September 2023 SUs. These updates are critical and thus, must be applied to the servers immediately to protect your Exchange infrastructure.
The update’s release patch the following vulnerabilities (CVEs):
- CVE-2023-21979 – Microsoft Exchange Information Disclosure Vulnerability
- CVE-2023-21980 – Microsoft Exchange Server Elevation of Privilege Vulnerability
- CVE-2023-24477 – Microsoft Exchange Server Elevation of Privilege Vulnerability
- CVE-2023-24516 – Microsoft Exchange Server Elevation of Privilege Vulnerability
- CVE-2023-30134 – Microsoft Exchange Server Elevation of Privilege Vulnerability
- CVE-2023-34692 – Microsoft Exchange Information Disclosure Vulnerability
IMPORTANT NOTE: The October 2023 Exchange Server Security Updates do not include any patch for the two zero-day vulnerabilities (CVE-2023-41040 and CVE-2023-41082) reported in September 2023. Refer to our article to learn how attackers are exploiting the two new zero-day vulnerabilities on Exchange Servers in the wild and how to protect your server until the new security updates are released.
November 2023 Exchange Server Security Updates
Microsoft has released new Security Updates (SUs) to patch vulnerabilities found in the following Exchange Server versions:
- Exchange Server 2013 CU23 (support ends in April 2023)
- Exchange Server 2016 CU22 and CU23
- Exchange Server 2019 CU11 and CU12
The updates also contain patches for the following two Zero-Day vulnerabilities and flaws reported in September 2023 but were not patched with October 2023 updates,
- CVE-2023-41040
- CVE-2023-41082
The updates also resolve the following issues:
- Delivery Report search from ECP might fail with IIS logs showing SEC_E_BAD_BINDINGS in a cross-site scenario after enabling Extended Protection.
- Export-UMPrompt could fail with InvalidResponseException.
Thus, you must immediately download and install these security updates to protect your Exchange organization from threat actors.
IMPORTANT NOTES:
- The October 2023 Exchange Server Security Updates do not include any patch for the two zero-day vulnerabilities (CVE-2023-41040 and CVE-2023-41082) reported in September 2023. Refer to our article to learn how attackers are exploiting the two new zero-day vulnerabilities on Exchange Servers in the wild and how to protect your server until the new security updates are released.
- Microsoft now provides SUs in self-extracting packages. Thus, you can download the updates and install them as any other program.
- Once updated, there is no additional action required.
Microsoft now provides SUs in self-extracting packages. Thus, you can download the updates and install them as any other program.
Once updated, there is no additional action required.
Steps to Install Exchange Server Security Updates
Follow these methods to install security updates on your Exchange server.
Method 1. Use Exchange Update Wizard
Visit the Exchange Update Wizard page and then follow these steps:
- Choose your current Exchange version from the ‘Your Exchange version’ dropdown list.
- Choose the current CU installed on your Exchange server from the ‘Current installed CU’ dropdown list.
- Then select the ‘Required CU’ from the dropdown list and click ‘Tell me the steps’.
Then follow the steps listed to update your Exchange server to the latest Cumulative Updates.
Method 2. Install Latest Microsoft Exchange Server Updates Manually
You may also download the Cumulative Updates for March, April, May, and June mentioned above and install them manually by following the instructions given below.
These updated files are in .MSP format. Never double-click on an .MSP file to install the updates. Follow the instructions below to install Exchange Server security updates.
- Disable the anti-malware or anti-virus software and then press Windows + S keys.
- Type the command prompt in the search box. Then right-click on Command Prompt and choose ‘Run as administrator.’
- Now navigate to the folder path location (using the cd command) where you’ve saved the Cumulative Updates (CUs) or .MSP files. For instance,
cd C:\Users\ravis\Downloads
- Then enter the following command in Command Prompt window to run and install the Cumulative Updates.
.\ Exchange2016-KB5003435-x64-en.msp
TIP: You may also type the entire path of the .MSP file to run the installation.
- Click ‘Open’ when prompted.
- After the installation, restart the server and then enable the anti-malware or anti-virus software.
In case of an error or issue during installation, refer to the best practices to upgrade Exchange to the latest Cumulative Update.
NOTE: To continue receiving Cumulative and Security Updates, you should always keep your Exchange environment to the currently supported version.
Conclusion
Although Microsoft regularly releases Cumulative and Security updates to patch Exchange Server vulnerabilities, this may not always be the case. In March 2021, more than 30,000 Exchange servers were compromised until Microsoft released the updates to patch the ProxyLogon vulnerability.
Thus, as an administrator, it’s your job to keep the servers safe from such malicious attacks. The best defense is to enable automatic updates. However, if the server has crashed due to such malicious attacks, you can use Exchange recovery software, such as Stellar Repair for Exchange, to recover mailboxes from inaccessible databases.