Important Fix for Vulnerability Affecting Exchange 2016 and 2019

Microsoft has released security updates for Exchange Server 2013, 2016, and 2019. The fixes apply to:

  • Exchange Server 2013 CU23.
  • Exchange Server 2016 CU21 and CU22.
  • Exchange Server 2019 CU10 and CU11.

Given the heightened attention and focus on Exchange Server security following March’s Hafnium attack, I hope that administrators have upgraded their servers to the latest cumulative updates to be able to apply these fixes.

Post Authentication Vulnerability in the Wild

In particular, if you’re running Exchange 2016 or 2019, the security updates address a known post-authentication vulnerability circulating in the wild (CVE-2021-42321). According to the Microsoft Security Response Center, the vulnerability occurs “due to improper validation of cmdlet arguments.”

Post-authentication vulnerabilities are worrisome because they allow attackers who have penetrated a server to exploit a weakness. Of course, to get there, the attacker needs to have stolen credentials in some way, but given the number of tools available like password sprays to probe and recover user credentials, that might not be as difficult as some imagine.

The Exchange team says that they are aware of “limited targeted attacks” focusing on the vulnerability, which is good, but there’s no doubt that a limited attack can gain momentum quickly and become a much larger problem. For that reason, it’s important to get servers updated with the latest cumulative update and patched with the security update.

Microsoft also provides a quick PowerShell check to run on Exchange 2016 and 2019 servers to check the system event log for specific events which might indicate that a server has been compromised:

Get-EventLog -LogName Application -Source "MSExchange Common" -EntryType Error | Where-Object { $_.Message -like "*BinaryFormatter.Deserialize*" }

If any events are returned by this command, you should contact Microsoft to report the problem and seek assistance.

Exchange Online Unaffected

Microsoft says that the vulnerability doesn’t affect Exchange Online, except that an on-premises hybrid server might be attacked. This is unsurprising for several reasons, including that attackers might not be able to get to those servers to run the problem cmdlet and that Microsoft patches Exchange Online servers on a rolling and ongoing basis. If you’re struggling with keeping Exchange on-premises servers patched, maybe it’s time to head to the cloud.

About the Author

Tony Redmond

Tony Redmond has written thousands of articles about Microsoft technology since 1996. He is the lead author for the Office 365 for IT Pros eBook, the only book covering Office 365 that is updated monthly to keep pace with change in the cloud. Apart from contributing to Practical365.com, Tony also writes at Office365itpros.com to support the development of the eBook. He has been a Microsoft MVP since 2004.

Comments

  1. Omer Mohammed

    Hi all

    we have an issue where all our servers with “net.Tcp Port sharing service” gets stopped and disabled after about 6 hours of starting it. i checked event log and nothing like an error but it only says service is stopped and then another event to say it is disabled. there is no log other than this i can look at what is causing this issue. i tried all sort of options but nothing seems to tell me about the source.

    can anyone suggest a solution?

  2. David

    Does Exchange CU22 SU3 contain the patches from SU1 and SU2

  3. Steven Brown

    Is Exchange 2016 CU 19 vulnerable?

  4. Joost

    No december CU, like previous years. Is that because there was this November SU, or is Exchange finally good enough that nothing needs to be changed anymore?

  5. Huyen Nguyen

    Hello,

    My system is installed Exchange 2016 CU19, Today, I upgrate to Exchange 2016 CU21 and update authentication vulnerability (CVE-2021-42321) Path KB5007409 of Microsoft
    After the installation finished, on OWA I kept getting logged out, Do you get this error and how to fix it?

    1. JW

      Put server in mgmt mode, upgrade to CU22, reboot, and test again. Remember to fix your namespaces.

  6. Omer Mohammed

    hi
    i’m facing issue with net tcp sharing service ,the service got disabled regularly (almost 24 hours) without reboot even,
    i googled the case and tried many things but nothing change

    i run the above command to check whether the system compromised return nothing which mean clean

  7. Ray

    Have not heard a lot on this subject, but will all the recent security explicit for On-Premise Exchange, is Microsoft still trying to finally allow us to remove the last Exchange server? I am fortunate to be in a situation where all our accounts are migrated to O365 and we only keep the hybrid Exchange server because Microsoft recommends it.

Leave a Reply