Keep on Patching
Fifteen weeks on from the Hafnium fiasco, I hope those responsible for Exchange Server maintenance haven’t forgotten the need to keep their on-premises fully patched and up to date. Microsoft has released security updates to address issues like the remote code vulnerability reported in CVE-2021-34473 and CVE-2021-31206. The updates apply to:
All servers, including those used for hybrid account management, must be updated.
Obviously, if you haven’t updated Exchange Server to one of the releases updated above, some extra effort is necessary to get to a suitable build.
Like taking a second vaccination dose to protect against Covid-19, full protection isn’t assured unless you also apply an Active Directory schema update. If you’re running Exchange 2016 CU21 or Exchange 2019 CU10, you’re already protected. Those running Exchange 2016 CU20 or Exchange 2019 CU9 need to extend the schema using the June 2021 cumulative updates.
For Those Running Exchange 2013
While Exchange 2016 and 2019 received schema updates through cumulative updates, Exchange 2013 was not updated in June 2021. Special processing is therefore needed for Exchange 2013 servers when Exchange 2013 is the latest server version in the organization (if it’s not, the schema updates are done when cumulative updates are applied to Exchange 2016 or 2019).
- Go ahead and install the security update for Exchange 2013 CU23. This leaves some updates schema files on the server but does not install them. Microsoft uses the security update to distribute the schema files to servers in the absence of a cumulative update.
- When you’re ready to extend the schema, run Setup.exe to perform the update (/prepareschema from v15\Bin). Setup will use the updated schema files left by the security update to apply the changes to Active Directory.
As always make sure that you apply Exchange server updates using an administrator account with elevated permissions. And (as pointed out in the comments), make sure that your server certificates are still valid.
Block the Attackers
One of the lessons we learned from Hafnium is how easy it is for attackers to exploit new weaknesses discovered in on-premises servers. The imperative is for administrators to stay on top of problems by installing security updates as soon as possible after Microsoft releases code. If you don’t, your servers might be on the target list for the next attack, and that wouldn’t be nice.
Are the security updates cumulative, or do I have to install each monthly security update sequentially?
I found conflicting answers online, so…
Security updates are incorporated into cumulative updates, so you can install the latest CU followed by the latest SU and you should be good to go.
I’m a little confused. After upgrading to CU20, do I also need to install the two ISU sec updates? I thought they would be included but the more I look at the more I think I didn’t really patch the server very well!
CU20 is now out of date. You should be on Exchange 2016 CU22. https://support.microsoft.com/en-au/topic/cumulative-update-22-for-exchange-server-2016-kb5005333-ceb154d8-7116-43a5-83c1-205af7c43764
I have Exchange 2013 on premises running with Microsoft Exchange Server_KB5003435, I want to update the patch in KB5004778, Can you suggest whether I go ahead with this patch update.
Why not? It’s a July security update: https://support.microsoft.com/en-us/topic/description-of-the-security-update-for-microsoft-exchange-server-2013-july-13-2021-kb5004778-f532100d-a9c1-4f2c-bc36-baec95881011
Applied the update, but the Schema update not yet, can i ran schema update during production?
We have a single server 2013 CU23 with the security patch installed trough windows updates
You can run a schema update in a production environment…
Thak you for the info provided, Tony. As a double check, I am looking, on the MS site, for info regarding the need for the schema update for Exchange 2013. In the KB page you linked in the article, under installation instructions, it is not mentioned at all. Where can I find this information please? Best Regards!
Details like those in the Microsoft post at https://techcommunity.microsoft.com/t5/exchange-team-blog/released-july-2021-exchange-server-security-updates/ba-p/2523421
Exchange 2013 CU23 here.
None of my certificates are expired, yet this update breaks OWA with the error:
ASSERT: HMACProvider.GetCertificates: protectionCertificates.Length <1
Uninstalling the update makes things work fine again.
I am not seeing any certificate errors with this update uninstalled.
Did you apply the directions in https://docs.microsoft.com/en-us/exchange/troubleshoot/administration/cannot-access-owa-or-ecp-if-oauth-expired? That’s the approved way to solve the certificate problem. If the Exchange installation procedure reports an issue (which it does when it attempts to retrieve certificates), there’s a problem there that needs to be fixed.
Obviously MS provides the two Updates for Exchange 2016 CU20 and CU21.
Are previous versions of Exchange 2016 CU’s like 19 still have this exploit ?
NM found it in this link:
We have a Primary Datacenter AD Site´s (Internet Facing MX – Mail Flow) in where Exchange 2010 is installed, and a Second Datacenter connected with VPN and Site-To-Site MPLS (Without any version ofExchange Server). Can i introduce and upgrade from Exchange 2010 to Exchange 2016 directly intalling 2016 version them from the Second AD Site ? or i have to install Exchange 2016 into the same AD Site that already has an Exchange 2010 installed.
Any article will very welcomming
Thanks in advance!
I hesitate to give an answer to a question like this because I don’t have enough information about your environment. You should be very cautious about taking advice from a web site when people simply don’t understand the exact conditions which exist in your organization. If this is truly an urgent situation, you should seek help from a skilled Exchange practitioner with experience of doing similar upgrades and go through a detailed review of the environment and circumstances (and be prepared to pay for their time). Free advice is worth as much as you pay for it.
For anyone who has the HMAC issue with OWA/ECP on Exchange 2013
We have found that we had an expired cert which needed to be replaced using this:
Note this line:
In some environments, it may take an hour for the OAuth certificate to be published.
We waited the hour and then it worked, did not make any other changes.
Good point. Expired certificates will always be problematic…
Thank you for posting this fix. I can confirm this fixed our issue with Exchange 2013 after the patch last night. Make sure you don’t overwrite the primary email certificate as the first command will try to do that. You only need the thumbprint for the additional command.
I too have this exact same issue with Exchange 2013.
I have run the schema upgrade as per the article, and I can see that there are some new ldf files in the Setup folder dated 8/7/2021
However what has not been forthcoming from anywhere is what the schema version should actually be when this is run as I am assuming it should have a new version
When I run the schema command,it throws out error
While it’s bad that you see an error, there’s little which can be done. You haven’t given enough context to allow anyone to assess the error. If you’re under support, you should file an incident with Microsoft and have them diagnose the issue.
Sorry for not providing more info:
When i run the schema command command, i am getting error:
E:\Exch2013\Bin>Setup.exe /IAcceptExchangeServerLicenseTerms /PrepareSchema
Setup encountered a problem while validating the state of Active Directory:
The Active Directory schema version (17002) is higher than Setup’s version (153
12). Therefore, PrepareSchema can’t be executed. See the Exchange setup log for
more information on this error.
For more information, visit: http://technet.microsoft.com/library(EXCHG.150
Are you following the guidance to use the LDF files deposited in the Setup directory?
Thanks,it worked, i ran the setup from the directory of LDF files and it worked.
E:\Exch2013_CU23\setup\data>Setup.exe /IAcceptExchangeServerLicenseTerms /Prepar
Microsoft Exchange Server 2013 Cumulative Update 23 Unattended Setup
Performing Microsoft Exchange Server Prerequisite Check
Prerequisite Analysis COMPLETED
Configuring Microsoft Exchange Server
Extending Active Directory schema COMPLETED
The Exchange Server setup operation completed successfully.
I am also facing the same issue as above, I installed in Lab servers, but logged a change for prod.
Not sure what to do.
I had the same issue as Damian. After uninstalling the latest security update for Exchange 2013 it works again.
We’ve got the Problem with the OWA also on an Exchnage 2016. An uninstall of the Pacth resolv the Problem here too.
I have applied the patches in Exchange 2016 and have not had any problems.
On the other hand, with Exchange 2013, after applying the patch, this error appears when entering through OWA:
ASSERT: HMACProvider.GetCertificates: protectionCertificates.Length <1
If you uninstall the patch, it works again.
I’ve asked Microsoft about the error you ran into. Stay tuned.
Thank you very much Tony!
Just checking, on the Exchange 2013 servers, you used the updated schema files placed into the \bin folder?
Yes, I did the /prepareschema from v15\Bin , but the result was the same.
On the other hand I have also applied this: https://docs.microsoft.com/en-us/exchange/troubleshoot/administration/cannot-access-owa-or-ecp-if-oauth-expired
On one of this Exchange 2013 servers, I have renewed this cert, reapplied the patch + schema and it crashes again.
On another Exchange 2013 server, the OAuth certificate was not expired and has also failed with the same error.
I think that the solution happens because Microsoft publishes the V2 of the patch.
There’s certainly been a tremendous amount of Microsoft activity around this topic today. I see many posts to https://techcommunity.microsoft.com/t5/exchange-team-blog/released-july-2021-exchange-server-security-updates/ba-p/2523421 with responses from the folks responsible for patch management.
Is this any update on that fail?
we have same error two customers,
Did you check your certificates?
Which certiifcate, we have public certificate and it is valid,
Try running https://aka.ms/ExchangeHealthChecker the Exchange Health checker to see if it throws up something. You can also post a question direct to Microsoft at https://techcommunity.microsoft.com/t5/exchange-team-blog/released-july-2021-exchange-server-security-updates/ba-p/2523421, but before you do, make sure that you have run the health checker and collected as much information as you can about your environment.
Had the same issue, couldn’t get into OWA or ECP. But I renewed the cert thanks to this DAY/WEEKSAVING article and it worked instantly. Couldn’t believe it to be honest.