Update March 2021: This post relates to issues found in Jan 2021. A new, more serious set of security issues have been found in March 2021. See Tony Redmond’s post on the topic for more information.
Microsoft recently released several security updates for Exchange Server and SharePoint Server to mitigate against proof-of-concept flaws in all recent versions of the product, including Exchange Server 2010, which left support in October – supposedly never to receive security patches again.
These updates should indicate the severity of the issues discovered. Although little has been published so far about this, Steven Seeley from Source Incite, who identified the vulnerability and reported it to Microsoft, explained that the flaw allows an attacker with low-privilege credentials (e.g., a user mailbox) to elevate to the SYSTEM account on the Exchange Server and retrieve information.
The vulnerabilities are not limited to one type either – and affect Exchange Web Services on Exchange 2016 and 2019, and the way information is retrieved via XML for OWA for Exchange 2013, 2016, and 2019.
On SharePoint Server 2010 to 2019 – which is less frequently installed on-premises but still a target, a similar XML-based exploit can be used and detected by the same researcher.
Less information is available about the Exchange Server 2010 exploit, which appears to be vulnerable by using the Exchange Management Shell. According to Microsoft, this can be exploited by using cmdlet arguments by an authenticated user. Most importantly, Microsoft considered this serious enough to release a new update rollup to resolve.
Exchange Server Patches
Download updates for Exchange Server below. You’ll find links to the relevant CVEs on each page.
- Description of the security update for Microsoft Exchange Server 2010 Service Pack 3: December 8, 2020
- Description of the security update for Microsoft Exchange Server 2013: December 8, 2020
- Description of the security update for Microsoft Exchange Server 2019 and 2016: December 8, 2020
SharePoint Server Patches
Finally, you’ll find links to updates for SharePoint Foundation and SharePoint Server below, again alongside the relevant CVEs.
- Description of the security update for SharePoint Foundation 2010: December 8, 2020
- Description of the security update for SharePoint Foundation 2013: December 8, 2020
- Description of the security update for SharePoint Enterprise Server 2016: December 8, 2020
- Description of the security update for SharePoint Server 2019: December 8, 2020
If you have any questions, please let us know in the comment section.