Updates for Exchange 2013, 2016, and 2019
Earlier today, Microsoft released security updates for Exchange Server 2013, 2016, and 2019. The updates address known vulnerabilities, which means that they fix problems known to exist in the wild. It’s therefore important to install the security updates as quickly as possible, especially on any Exchange server connected to the internet. Microsoft says that they are unaware of any attackers exploiting the vulnerabilities, but the nature of the beast is that once people learn about software vulnerabilities, the affected servers become candidates for compromise.
The security updates are for:
Details of the vulnerabilities fixed are available in the Microsoft Security Response Center (Figure 1). It looks as if the problems are all elevation of privilege, which isn’t good news because this kind of problem can allow attackers to take complete control of servers.
Exchange Online and Hybrid Servers
Apart from upgrading hybrid servers used with Exchange Online, no further action is necessary to protect Exchange Online. As you’ll recall, Microsoft recently released an update to allow organizations to remove the last physical Exchange server in a hybrid environment. The big caveat here is that this is only possible after the installation of Exchange 2019 CU12. Other considerations exist, like having to perform recipient management through PowerShell, but the existence of vulnerabilities in on-premises servers underlines the value of being able to remove unwanted servers.
Auto-Elevation to Install Security Updates
In a separate post, Microsoft explains that they are now releasing security updates and hotfixes as self-extracting auto-elevating executables. This is in addition to the existing Windows Installer Patch format. The reason for the change is that Microsoft receives support calls when administrators have problems applying security updates, many of which are because the installation runs without sufficient permissions. Microsoft notes that this can leave an Exchange server “in a bad state,” which is putting it mildly. Auto-elevation of permissions should address the issue.
Prepare Active Directory
The last point of note is that Microsoft emphasizes the need to run the Exchange server installation program with the /PrepareAllDomains switch AFTER installing the security update. This command makes sure that the domains in your Active Directory forest are prepared for Exchange server. The account used to run /PrepareAllDomains must be a member of the Enterprise Admins security group.
You only need to run /PrepareAllDomains once per organization (not after updating each server) and the change applies to all servers within the organization. Microsoft says that the step is necessary “because of additional security hardening work for CVE-2022-21978,” which is one of the vulnerabilities addressed by the updates.
Ready, Steady, Go
Last year’s Hafnium experience taught everyone how quickly attackers can exploit unpatched servers. Don’t let your server be compromised because of a known and patched vulnerability. Carve out some time to install this security update on your on-premises servers.