Important Fix for Vulnerability Affecting Exchange 2016 and 2019
Microsoft has released security updates for Exchange Server 2013, 2016, and 2019. The fixes apply to:
- Exchange Server 2013 CU23.
- Exchange Server 2016 CU21 and CU22.
- Exchange Server 2019 CU10 and CU11.
Given the heightened attention and focus on Exchange Server security following March’s Hafnium attack, I hope that administrators have upgraded their servers to the latest cumulative updates to be able to apply these fixes.
Post Authentication Vulnerability in the Wild
In particular, if you’re running Exchange 2016 or 2019, the security updates address a known post-authentication vulnerability circulating in the wild (CVE-2021-42321). According to the Microsoft Security Response Center, the vulnerability occurs “due to improper validation of cmdlet arguments.”
Post-authentication vulnerabilities are worrisome because they allow attackers who have penetrated a server to exploit a weakness. Of course, to get there, the attacker needs to have stolen credentials in some way, but given the number of tools available like password sprays to probe and recover user credentials, that might not be as difficult as some imagine.
The Exchange team says that they are aware of “limited targeted attacks” focusing on the vulnerability, which is good, but there’s no doubt that a limited attack can gain momentum quickly and become a much larger problem. For that reason, it’s important to get servers updated with the latest cumulative update and patched with the security update.
Microsoft also provides a quick PowerShell check to run on Exchange 2016 and 2019 servers to check the system event log for specific events which might indicate that a server has been compromised:
Get-EventLog -LogName Application -Source "MSExchange Common" -EntryType Error | Where-Object { $_.Message -like "*BinaryFormatter.Deserialize*" }
If any events are returned by this command, you should contact Microsoft to report the problem and seek assistance.
Exchange Online Unaffected
Microsoft says that the vulnerability doesn’t affect Exchange Online, except that an on-premises hybrid server might be attacked. This is unsurprising for several reasons, including that attackers might not be able to get to those servers to run the problem cmdlet and that Microsoft patches Exchange Online servers on a rolling and ongoing basis. If you’re struggling with keeping Exchange on-premises servers patched, maybe it’s time to head to the cloud.
Hi all
we have an issue where all our servers with “net.Tcp Port sharing service” gets stopped and disabled after about 6 hours of starting it. i checked event log and nothing like an error but it only says service is stopped and then another event to say it is disabled. there is no log other than this i can look at what is causing this issue. i tried all sort of options but nothing seems to tell me about the source.
can anyone suggest a solution?
Have you reported the issue to Microsoft to ask them to have a look?
Does Exchange CU22 SU3 contain the patches from SU1 and SU2
Aren’t you a little behind the curve asking about installing a potentially important patch four months after its release?
Is Exchange 2016 CU 19 vulnerable?
Yes. You’re out of support if you use that version. CU22 is the latest and that’s what you should be running: https://docs.microsoft.com/en-us/exchange/new-features/build-numbers-and-release-dates?view=exchserver-2019
No december CU, like previous years. Is that because there was this November SU, or is Exchange finally good enough that nothing needs to be changed anymore?
I believe it was just that they needed some extra time to work on the update.
Hello,
My system is installed Exchange 2016 CU19, Today, I upgrate to Exchange 2016 CU21 and update authentication vulnerability (CVE-2021-42321) Path KB5007409 of Microsoft
After the installation finished, on OWA I kept getting logged out, Do you get this error and how to fix it?
To be sure, you installed the updates using an admin account?
Did you reboot? (it can cure any number of ills).
If you still have a problem, log a support call with Microsoft as there’s no way that I can check you system, but they can!
Put server in mgmt mode, upgrade to CU22, reboot, and test again. Remember to fix your namespaces.
hi
i’m facing issue with net tcp sharing service ,the service got disabled regularly (almost 24 hours) without reboot even,
i googled the case and tried many things but nothing change
i run the above command to check whether the system compromised return nothing which mean clean
I’d contact Microsoft support and have them check things out.
Have not heard a lot on this subject, but will all the recent security explicit for On-Premise Exchange, is Microsoft still trying to finally allow us to remove the last Exchange server? I am fortunate to be in a situation where all our accounts are migrated to O365 and we only keep the hybrid Exchange server because Microsoft recommends it.
I’m assuming Microsoft still intends to deliver a solution to the last on-premises Exchange server problem. I haven’t heard them decommit from this position.
For now they provided some KB on that topic https://support.microsoft.com/en-us/topic/owa-redirection-doesn-t-work-after-installing-november-2021-security-updates-for-exchange-server-2019-2016-or-2013-9dc8f203-351e-4527-b9b6-794a2c947d44
But not full solution (and working workaround only for ex 2019 and 2016, not 2013).