Summary: Increasing attacks on Microsoft Exchange servers have become a pain point for Microsoft and businesses worldwide. Microsoft identified new vulnerabilities, which enable the threat actors to access the server, install malware, or run their programs remotely. In this guide, we discuss the Exchange server vulnerabilities and steps to safeguard the server.
On March 2, 2021, Microsoft released emergency patches and an Exchange On-Premises Mitigation Tool (EOMT) for on-premises Exchange server 2019, 2016, and 2013 to safeguard the servers against four zero-day vulnerabilities.
The threat groups, such as Hafnium, exploited ProxyLogon vulnerability to gain access to the Exchange server and installed web shells that provided access to email accounts and facilitated installing malware or ransomware on the target server. Therefore, it is critical to detect vulnerabilities and update the server with the latest cumulative and security updates.
In case you haven’t installed the latest Exchange server patches, we strongly advise you to do so immediately.
Contents
Microsoft released a new Exchange Server Health Checker PowerShell script to help Exchange administrators check if their Exchange 2019, 2016, or 2013 server is vulnerable and needs an update. The PowerShell script also enables you to find configuration issues, performance issues, and speed up the information gathering process. It further tells you if your server is behind Cumulative Updates (CUs) or Security Updates (SUs).
To run the script and install updates on your Exchange server, follow these steps:
Visit Github to download the latest HealthChecker.ps1 PowerShell script release on your Exchange 2019, 2016, or 2013 server. Exchange 2010 users can download the V2 release on their servers.
On your server, open the Exchange Management Shell and then navigate to the folder where you’ve downloaded the HealthChecker.ps1 PowerShell script. Then enter the following command to execute the script in default mode on the local server.
.\HealthChecker.ps1
To run the cmdlet for a specific Exchange server, execute the following command in the EMS:
.\HealthChecker.ps1 -Server EXCHSRV1
NOTE: If you see “HealthChecker.ps1 is not digitally signed. The script will not execute on the system.” error while executing the cmdlet, you can change the execution policy by using the following cmdlet in EMS.
Set-ExecutionPolicy -Scope Process -ExecutionPolicy Bypass
Type ‘Y’ and press Enter to confirm the change.
This will give you temporary permission to execute the HealthChecker.ps1 script. The script will display all the security vulnerabilities you need to patch against by installing the latest updates released by Microsoft. If you see multiple vulnerabilities, you may want to check if your Exchange server is compromised. For this, you can use the one-click Exchange On-Premises Mitigation Tool (EOMT).
To mitigate risks, check server vulnerability, and apply security updates, run the EOMT tool on your server. It also helps apply the patches. The steps are as follows:
.\EOMT.ps1
Follow the instructions below to download and install the updates manually on your server.
To install the March 2021 updates, you may download the March 2021 Exchange Server Security Update. However, the April 2021 update also contains the March 21 patches.
In April 2021, Microsoft identified 114 CVEs (Common Vulnerabilities and Exposure), including two Remote Code Execution (RCE) vulnerability flaws CVE-2021-28480 and CVE-2021-28481, before they were exploited by the attackers. The two significant RCE vulnerabilities were found and disclosed by the NSA. To cover these vulnerabilities, Microsoft released patches and advised on-premises Exchange customers to install the updates as soon as possible to ensure protection from such attacks and other threats. Microsoft released specific cumulative updates (CU) for Exchange to patch April 2021 vulnerabilities, which are as follows:
Microsoft released the May 2021 security updates to patch 55 vulnerabilities. This includes three zero-day vulnerabilities that the threat actors could have exploited. These critical CVEs are as follows:
This vulnerability was found and showcased in the 2021 Pwn2Own contest. The details of the exploit will be published at some point. Threat actors can take advantage of this vulnerability to attack Exchange servers. Thus, it is critical to patch this zero-day vulnerability.
It is an RCE (Remote Code Execution) vulnerability, similar to the ProxyLogon that was exploited by the Hafnium group and other threat actors back in March 2021.
This an Elevation of Privilege vulnerability in .NET and Visual Studio.
The latter two are publicly disclosed vulnerabilities. Hence, it is critical to patch these vulnerabilities.
Download the May 2021 Cumulative Updates (CUs).
Microsoft released June 2021 security updates to patch 50 vulnerabilities. These include six zero-day vulnerabilities that are being exploited in the wild by threat actors. Out of all, in terms of severity, 5 vulnerabilities are considered as critical while 45 as important.
The updates are released to patch vulnerabilities found in Microsoft Windows, Microsoft Edge, .NET Core and Visual Studio, Microsoft Office, Hyper-V, Visual Studio Code – Kubernetes Tools, SharePoint Server, Windows Remote Desktop, and Windows HTML Platform.
The zero-day vulnerabilities that are exploited in the wild (now patched in June updates) are:
Windows MSHTML Platform Remote Code Execution Vulnerability.
Microsoft Enhanced Cryptographic Provider Elevation of Privilege Vulnerability, CVSS 5.2.
Windows Kernel Information Disclosure Vulnerability, CVSS 5.5.
Windows NTFS Elevation of Privilege Vulnerability, CVSS 7.8.
Microsoft DWM Core Library Elevation of Privilege Vulnerability.
Microsoft Enhanced Cryptographic Provider Elevation of Privilege Vulnerability, CVSS 5.2.
Windows Remote Desktop Services Denial of Service Vulnerability
*CVSS: Common Vulnerability Scoring System.
Microsoft has released the quarterly Cumulative Updates (CUs) for Exchange Server 2016 and 2019. The CUs bring fixes to the issues reported by the customers, new security features, and security updates. The CUs also include the Antimalware Scan Interface or AMSI (exists in Windows Server 2016 and 2019) integration with Exchange Server 2016 and Exchange server 2019 to make servers more secure.
The AMSI integration in Exchange Server aims to provide real-time antivirus and antimalware scan ability to block malicious requests before they reached the Exchange Server. This will enable the automatic mitigation and protect your Exchange servers from malicious attacks.
Following are the June 2021 Cumulative Updates (CUs) for Exchange Server 2016 and Exchange Server 2019 that you can download.
Microsoft released July 2021 Exchange Server security updates to patch new vulnerabilities reported by the Microsoft team, security groups, and partners. Although there is no information if any vulnerability is being exploited in the wild, Microsoft recommends installing these updates immediately to safeguard the Exchange Server against malicious attacks.
These vulnerabilities affects the on-premises version of Exchange Server 2013, 2016, and 2019. The July 2021 updates for Exchange Server are as follows:
After downloading the updates, you can follow the steps below to install the July 2021 security updates.
However, this time, you also need to perform additional steps after installing the Exchange security updates. These steps are as follows:
“Setup.exe /PrepareSchema /IAcceptExchangeServerLicenseTerms” using the setup.exe from location “c:\Program Files\Microsoft\Exchange Server\V15\Bin\setup.exe”
Cyberattacks on on-premises Exchange servers continue to increase even after Microsoft has released patches for three major ‘proxy’ (authentication bypass) flaws. The attacks are now more sophisticated, and thus, it’s critical to keep your on-premises Exchange Servers updated.
However, updating servers require a lot of time and resources. But this is a continuous process. So even if you have updated your Exchange servers to July 2021 updates, installing September 2021 is critical to prevent HAFNIUM-level attacks.
The process of updating Exchange Servers remains the same. Before installing the updates as discussed in this blog, you must run the health checker script and Exchange On-Premises Mitigation Tool (EOMT).
Most importantly, Microsoft has also released a new Emergency Mitigation (EM), an emergency server mitigation tool with September 2021 quarterly Cumulative Updates (CUs) to help businesses that are slow or take time to patch their server.
The tool detects vulnerable Exchange Servers and applies temporary mitigations (pre-configured settings) to protect Exchange servers against various known threats. The EM tool is automatically installed with September 2021 or later CU released for Exchange 2016 and 2019 servers with Mailbox role.
After downloading the updates, you can follow the steps below to install the latest security and cumulative updates released by Microsoft.
Microsoft released several Security Updates (SUs) for the on-premises Exchange Server to patch critical vulnerabilities. It is recommended that organizations apply the October 2021 Exchange Server Security Updates immediately to protect their Exchange environment.
Microsoft has released October 2021 SUs for the following Exchange Server versions,
Exchange 2010 is no more supported.
If your Exchange Server is not running on the supported Cumulative Update (CU) version, we recommend you upgrade immediately and apply October 2021 security updates. Follow this guide to upgrade Exchange Server with the latest CU version.
Currently, there is no information of any active exploitation of vulnerabilities in the wild that are addressed in October 2021. However, you should update your servers immediately to prevent any malicious attacks.
Microsoft has released important Security Updates containing patches to fix 55 critical bugs, including six zero-day vulnerabilities mainly affecting the Exchange Server 2016 and 2019 versions. The updates have been rolled out for the following Exchange Server builds,
If your Exchange Server is running on an older Cumulative Update (CU), it is highly recommended to upgrade the server to the latest builds and then apply the November 2021 Security Updates. You can’t install November 2021 updates on an older, or unsupported Exchange Server build.
Microsoft has confirmed limited, targeted attacks in the wild exploiting CVE-2021-42321—Post-Authentication RCE vulnerability—found in Exchange 2016 and 2019.
Update your servers immediately to patch these vulnerabilities and safeguard your servers.
Quarterly Cumulative Updates (CUs) for Microsoft Exchange Server were supposed to be released in December 2021. However, Microsoft informed in a blog post that they will not be releasing any Cumulative Updates scheduled for Exchange Server 2013, 2016, or 2019 in December 2021. Microsoft urged their customers to keep their servers updated to the latest Cumulative and Security Updates to safeguard servers against malicious attacks.
Microsoft released January 2022 security updates for on-premises Exchange Server 2013, 2016, and 2019 on this year’s first Patch Tuesday. The updates patches following Remote Code Execution (RCE) vulnerabilities reported by Microsoft’s team and their security researcher partners.
There haven’t been any reports of any active exploits in the wild. However, you should immediately install these security updates to patch your Exchange Server and protect your organization.
The updates can be applied to the following on-premises Exchange Server builds, including those in Exchange Hybrid mode.
If your Exchange Server is running on earlier CU, update t the supported CU and then install the January 2022 security updates by following the steps discussed below.
Microsoft has released new Security Updates (SUs) for the on-premises and hybrid Exchange Servers to resolve vulnerabilities found in Exchange Server 2013, 2016, and 2019.
March 2022 SUs are released for the following Exchange Server builds,
Exchange 2010 is no more supported. If you are running a lower CU, it is recommended that you upgrade to the latest CU to continue receiving Security updates.
According to Microsoft, there are no reports of any active exploits in the wild. However, it is highly recommended that you apply March 2022 Exchange Server Security Updates immediately to protect your organization from potential malicious attacks.
IMPORTANT NOTE: If you experience an error while installing the Security updates, use SetupAssist Script. For more information, refer to this Microsoft Team blog.
Microsoft recently announced the release of Exchange Server 2016 and Exchange Server 2019 Cumulative Updates (CUs). It also revised the servicing model from four (Q1, Q2, Q3, & Q4) quarterly releases to two (H1 & H2) half-yearly releases.
The H1 release includes Cumulative Updates for Exchange 2016 CU23 and Exchange 2019 CU12. The H2 update will be released after 6-months for only Exchange 2019. Microsoft has ended the mainstream support for Exchange 2016 with the CU23 release.
You can download the CU23 and CU12 for Exchange 2016 and 2019, respectively, using the following links,
Before you install the CU, update the following and create a backup,
Microsoft has released new Security Updates (SUs) for the on-premises and hybrid Exchange Servers on May 10, 2022, to resolve vulnerabilities reported by security partners and the internal processes. Although there are no reports of any active exploitation yet, it’s highly suggested that you install the May 2022 Security Updates immediately to safeguard your organization from malicious attacks.
The May 2022 Security Updates are released for the following Exchange Server builds:
The May 2022 Security Update is more critical as it patches the following vulnerability rated as important with a CVSS v3 score of 8.2 —indicating high severity.
CVE-2022-21978 — A Microsoft Exchange Server Elevation of Privilege vulnerability. Attackers can use the vulnerability to elevate themselves to Domain Administrator. However, the attacker must be an authenticated user or member of a highly privileged group to exploit the vulnerability.
For installation, you can follow the steps given below.
Also, after installing the May 2022 Security Update, you must execute the following command to strengthen security.
cd C:\Program Files\Microsoft\Exchange Server\Vxx\Bin
Setup.exe /IAcceptExchangeServerLicenseTerms_DiagnosticDataOFF /PrepareAllDomains
Setup.exe /IAcceptExchangeServerLicenseTerms /PrepareAllDomains
If your organization is running on an older version, upgrade to the supported CU and install the May 2022 Security Updates. Follow our guide on upgrading Exchange Server 2013/2016/2019 Cumulative Updates.
Follow these methods to install security updates on your Exchange server.
Visit the Exchange Update Wizard page and then follow these steps:
Then follow the steps listed to update your Exchange server to the latest Cumulative Updates.
You may also download the Cumulative Updates for March, April, May, and June mentioned above and install them manually by following the instructions given below.
These update files are in .MSP format. Never double-click on an .MSP file to install the updates. Follow the instructions below to install Exchange Server security updates.
cd C:\Users\ravis\Downloads
.\ Exchange2016-KB5003435-x64-en.msp
TIP: You may also type the entire path of the .MSP file to run the installation.
In case of an error or issue during installation, refer to the best practices to upgrade Exchange to the latest Cumulative Update.
NOTE: To continue receiving Cumulative and Security Updates, you should always keep your Exchange environment to the currently supported version.
Conclusion
Although Microsoft regularly releases Cumulative and Security updates to patch Exchange Server vulnerabilities, this may not always be the case. In March 2021, more than 30,000 Exchange servers were compromised until Microsoft released the updates to patch the ProxyLogon vulnerability.
Thus, as an administrator, it’s your job to keep the servers safe from such malicious attacks. The best defense is to enable automatic updates. However, if the server has crashed due to such malicious attacks, you can use Exchange recovery software, such as Stellar Repair for Exchange, to recover mailboxes from the inaccessible databases.
Ravi Singh is a Senior Writer at Stellar®. He is an expert Tech Explainer, IoT enthusiast, and a passionate nerd with over 6 years of experience in technical writing. He writes about Data Recovery, File Repair, Email Migration, Linux, Windows, Mac, and DIY Tech. Ravi spends most of his weekends working with IoT devices and playing games on the Xbox. He is also a solo traveler who loves hiking and exploring new trails.
