Microsoft Exchange Remote Code Execution Vulnerability Flaws and Their Fixes

Updated on January 14th, 2022

Shaun Hardneck

Summary: Increasing attacks on Microsoft Exchange servers have become a pain point for Microsoft and businesses worldwide. Microsoft identified new vulnerabilities, which enable the threat actors to access the server, install malware, or run their programs remotely. In this guide, we discuss the Exchange server vulnerabilities and steps to safeguard the server.

On March 2, 2021, Microsoft released emergency patches and an Exchange On-Premises Mitigation Tool (EOMT) for on-premises Exchange server 2019, 2016, and 2013 to safeguard the servers against four zero-day vulnerabilities.

The threat groups, such as Hafnium, exploited ProxyLogon vulnerability to gain access to the Exchange server and installed web shells that provided access to email accounts and facilitated installing malware or ransomware on the target server. Therefore, it is critical to detect vulnerabilities and update the server with the latest cumulative and security updates.

In case you haven’t installed the latest Exchange server patches, we strongly advise you to do so immediately.

Exchange Server Vulnerability Flaws and Their Fixes

Microsoft released a new Exchange Server Health Checker PowerShell script to help Exchange administrators check if their Exchange 2019, 2016, or 2013 server is vulnerable and needs an update. The PowerShell script also enables you to find configuration issues, performance issues, and speed up the information gathering process. It further tells you if your server is behind Cumulative Updates (CUs) or Security Updates (SUs).

To run the script and install updates on your Exchange server, follow these steps:

Step 1: Download Exchange Server Health Checker Script

Visit Github to download the latest HealthChecker.ps1 PowerShell script release on your Exchange 2019, 2016, or 2013 server. Exchange 2010 users can download the V2 release on their servers.

Step 2: Run the Health Checker Script via Exchange Management Shell (EMS)

On your server, open the Exchange Management Shell and then navigate to the folder where you’ve downloaded the HealthChecker.ps1 PowerShell script. Then enter the following command to execute the script in default mode on the local server.

.\HealthChecker.ps1

Health Checker Script

To run the cmdlet for a specific Exchange server, execute the following command in the EMS:

 .\HealthChecker.ps1 -Server EXCHSRV1

Server-EXCHSRV1

NOTE: If you see “HealthChecker.ps1 is not digitally signed. The script will not execute on the system.” error while executing the cmdlet, you can change the execution policy by using the following cmdlet in EMS.

Set-ExecutionPolicy -Scope Process -ExecutionPolicy Bypass

ExecutionPolicy-Bypass

Type ‘Y’ and press Enter to confirm the change.

This will give you temporary permission to execute the HealthChecker.ps1 script. The script will display all the security vulnerabilities you need to patch against by installing the latest updates released by Microsoft. If you see multiple vulnerabilities, you may want to check if your Exchange server is compromised. For this, you can use the one-click Exchange On-Premises Mitigation Tool (EOMT).

Step 3: Run EOMT

To mitigate risks, check server vulnerability, and apply security updates, run the EOMT tool on your server. It also helps apply the patches. The steps are as follows:

  • Download the EOMT tool and extract the folder at your desired location.
  • Open EMS and then navigate to …\CSS-Exchange-main\CSS-Exchange-main\Security\src location.
  • Now, enter the following cmdlet to run the EOMT tool and start the mitigation process.

.\EOMT.ps1

EOMT-tool
  • It runs MSERT scan in Quick Mode and quarantines threats and web shells (found when your server is compromised).

Step 4: Install Exchange Server Updates

Follow the instructions below to download and install the updates manually on your server.

March 2021 Exchange Server Security Updates

To install the March 2021 updates, you may download the March 2021 Exchange Server Security Update. However, the April 2021 update also contains the March 21 patches.

April 2021 Exchange Server Security Updates

In April 2021, Microsoft identified 114 CVEs (Common Vulnerabilities and Exposure), including two Remote Code Execution (RCE) vulnerability flaws CVE-2021-28480 and CVE-2021-28481, before they were exploited by the attackers. The two significant RCE vulnerabilities were found and disclosed by the NSA. To cover these vulnerabilities, Microsoft released patches and advised on-premises Exchange customers to install the updates as soon as possible to ensure protection from such attacks and other threats. Microsoft released specific cumulative updates (CU) for Exchange to patch April 2021 vulnerabilities, which are as follows: 

May 2021 Exchange Server Security Updates

Microsoft released the May 2021 security updates to patch 55 vulnerabilities. This includes three zero-day vulnerabilities that the threat actors could have exploited. These critical CVEs are as follows:

This vulnerability was found and showcased in the 2021 Pwn2Own contest. The details of the exploit will be published at some point. Threat actors can take advantage of this vulnerability to attack Exchange servers. Thus, it is critical to patch this zero-day vulnerability.

It is an RCE (Remote Code Execution) vulnerability, similar to the ProxyLogon that was exploited by the Hafnium group and other threat actors back in March 2021.

This an Elevation of Privilege vulnerability in .NET and Visual Studio.

The latter two are publicly disclosed vulnerabilities. Hence, it is critical to patch these vulnerabilities. 

Download the May 2021 Cumulative Updates (CUs).

  • Exchange Server 2013: CU23
  • Exchange Server 2016: CU19 & CU20
  • Exchange Server 2019: CU8 & CU9

June 2021 Exchange Server Security Updates

Microsoft released June 2021 security updates to patch 50 vulnerabilities. These include six zero-day vulnerabilities that are being exploited in the wild by threat actors. Out of all, in terms of severity, 5 vulnerabilities are considered as critical while 45 as important.  

The updates are released to patch vulnerabilities found in Microsoft Windows, Microsoft Edge, .NET Core and Visual Studio, Microsoft Office, Hyper-V, Visual Studio Code – Kubernetes Tools, SharePoint Server, Windows Remote Desktop, and Windows HTML Platform.

The zero-day vulnerabilities that are exploited in the wild (now patched in June updates) are:

Windows MSHTML Platform Remote Code Execution Vulnerability.

Microsoft Enhanced Cryptographic Provider Elevation of Privilege Vulnerability, CVSS 5.2.

Windows Kernel Information Disclosure Vulnerability, CVSS 5.5.

Windows NTFS Elevation of Privilege Vulnerability, CVSS 7.8.

Microsoft DWM Core Library Elevation of Privilege Vulnerability.

Microsoft Enhanced Cryptographic Provider Elevation of Privilege Vulnerability, CVSS 5.2.

Windows Remote Desktop Services Denial of Service Vulnerability

*CVSS: Common Vulnerability Scoring System.

[Update] June 2021 Cumulative Updates for Exchange Server

Microsoft has released the quarterly Cumulative Updates (CUs) for Exchange Server 2016 and 2019. The CUs bring fixes to the issues reported by the customers, new security features, and security updates. The CUs also include the Antimalware Scan Interface or AMSI (exists in Windows Server 2016 and 2019) integration with Exchange Server 2016 and Exchange server 2019 to make servers more secure.

The AMSI integration in Exchange Server aims to provide real-time antivirus and antimalware scan ability to block malicious requests before they reached the Exchange Server. This will enable the automatic mitigation and protect your Exchange servers from malicious attacks.   

Following are the June 2021 Cumulative Updates (CUs) for Exchange Server 2016 and Exchange Server 2019 that you can download.

July 2021 Exchange Server Security Updates

Microsoft released July 2021 Exchange Server security updates to patch new vulnerabilities reported by the Microsoft team, security groups, and partners. Although there is no information if any vulnerability is being exploited in the wild, Microsoft recommends installing these updates immediately to safeguard the Exchange Server against malicious attacks.

These vulnerabilities affects the on-premises version of Exchange Server 2013, 2016, and 2019. The July 2021 updates for Exchange Server are as follows:

  • Exchange Server 2013 CU23
  • Exchange Server 2016 CU20 and CU21
  • Exchange Server 2019 CU9 and CU10

After downloading the updates, you can follow the steps below to install the July 2021 security updates.

However, this time, you also need to perform additional steps after installing the Exchange security updates. These steps are as follows:

  • In Exchange 2019 CU9 and Exchange 2016 CU20, extend the schema using June 2021 CUs.
  • In Exchange Server 2013 CU23, install the July 2021 updates and then extend the AD Schema using following command:

“Setup.exe /PrepareSchema /IAcceptExchangeServerLicenseTerms” using the setup.exe from location “c:\Program Files\Microsoft\Exchange Server\V15\Bin\setup.exe”

September 2021 Exchange Server Security Updates

Cyberattacks on on-premises Exchange servers continue to increase even after Microsoft has released patches for three major ‘proxy’ (authentication bypass) flaws. The attacks are now more sophisticated, and thus, it’s critical to keep your on-premises Exchange Servers updated.

However, updating servers require a lot of time and resources. But this is a continuous process. So even if you have updated your Exchange servers to July 2021 updates, installing September 2021 is critical to prevent HAFNIUM-level attacks.

The process of updating Exchange Servers remains the same. Before installing the updates as discussed in this blog, you must run the health checker script and Exchange On-Premises Mitigation Tool (EOMT).

Most importantly, Microsoft has also released a new Emergency Mitigation (EM), an emergency server mitigation tool with September 2021 quarterly Cumulative Updates (CUs) to help businesses that are slow or take time to patch their server.

The tool detects vulnerable Exchange Servers and applies temporary mitigations (pre-configured settings) to protect Exchange servers against various known threats. The EM tool is automatically installed with September 2021 or later CU released for Exchange 2016 and 2019 servers with Mailbox role.

After downloading the updates, you can follow the steps below to install the latest security and cumulative updates released by Microsoft.

October 2021 Exchange Server Security Updates

Microsoft released several Security Updates (SUs) for the on-premises Exchange Server to patch critical vulnerabilities. It is recommended that organizations apply the October 2021 Exchange Server Security Updates immediately to protect their Exchange environment.

Microsoft has released October 2021 SUs for the following Exchange Server versions,

Exchange 2010 is no more supported.

If your Exchange Server is not running on the supported Cumulative Update (CU) version, we recommend you upgrade immediately and apply October 2021 security updates. Follow this guide to upgrade Exchange Server with the latest CU version.

Currently, there is no information of any active exploitation of vulnerabilities in the wild that are addressed in October 2021. However, you should update your servers immediately to prevent any malicious attacks.

November 2021 Exchange Server Security Updates

Microsoft has released important Security Updates containing patches to fix 55 critical bugs, including six zero-day vulnerabilities mainly affecting the Exchange Server 2016 and 2019 versions. The updates have been rolled out for the following Exchange Server builds,

  • Exchange Server 2013 CU23
  • Exchange Server 2016 CU21 and CU22
  • Exchange Server 2019 CU10 and CU11

If your Exchange Server is running on an older Cumulative Update (CU), it is highly recommended to upgrade the server to the latest builds and then apply the November 2021 Security Updates. You can’t install November 2021 updates on an older, or unsupported Exchange Server build.

Microsoft has confirmed limited, targeted attacks in the wild exploiting CVE-2021-42321—Post-Authentication RCE vulnerability—found in Exchange 2016 and 2019.

Update your servers immediately to patch these vulnerabilities and safeguard your servers.

December 2021 Exchange Server Cumulative Updates

Quarterly Cumulative Updates (CUs) for Microsoft Exchange Server were supposed to be released in December 2021. However, Microsoft informed in a blog post that they will not be releasing any Cumulative Updates scheduled for Exchange Server 2013, 2016, or 2019 in December 2021. Microsoft urged their customers to keep their servers updated to the latest Cumulative and Security Updates to safeguard servers against malicious attacks.

January 2022 Exchange Server Security Updates

Microsoft released January 2022 security updates for on-premises Exchange Server 2013, 2016, and 2019 on this year’s first Patch Tuesday. The updates patches following Remote Code Execution (RCE) vulnerabilities reported by Microsoft’s team and their security researcher partners.

There haven’t been any reports of any active exploits in the wild. However, you should immediately install these security updates to patch your Exchange Server and protect your organization.

The updates can be applied to the following on-premises Exchange Server builds, including those in Exchange Hybrid mode.

  • Exchange Server 2013 CU23
  • Exchange Server 2016 CU21 and CU22
  • Exchange Server 2019 CU10 and CU11

If your Exchange Server is running on earlier CU, update t the supported CU and then install the January 2022 security updates by following the steps discussed below.

Source: TechNet Microsoft

Steps to Install Exchange Server Security Updates

Follow these methods to install security updates on your Exchange server.

Method 1. Use Exchange Update Wizard

Visit the Exchange Update Wizard page and then follow these steps:

  • Choose your current Exchange version from the ‘Your Exchange version’ dropdown list.
choose exchange version
  • Choose the current CU installed on your Exchange server from the ‘Current installed CU’ dropdown list.
  • Then select the ‘Required CU’ from the dropdown list and click ‘Tell me the steps’.

Then follow the steps listed to update your Exchange server to the latest Cumulative Updates.

Method 2. Install Latest Microsoft Exchange Server Updates Manually

You may also download the Cumulative Updates for March, April, May, and June mentioned above and install them manually by following the instructions given below.

These update files are in .MSP format. Never double-click on an .MSP file to install the updates. Follow the instructions below to install Exchange Server security updates.

  • Disable the anti-malware or anti-virus software and then press Windows + S keys.
  • Type command prompt in the search box. Then right-click on Command Prompt and choose ‘Run as administrator.’
Run as administrator
  • Now navigate to the folder path location (using the cd command) where you’ve saved the Cumulative Updates (CUs) or .MSP files. For instance,

cd C:\Users\ravis\Downloads

  • Then enter the following command in Command Prompt window to run and install the Cumulative Updates.

.\ Exchange2016-KB5003435-x64-en.msp

MSP file to run the installation

TIP: You may also type the entire path of the .MSP file to run the installation.

  • Click ‘Open’ when prompted.
Open when prompted
  • After the installation, restart the server and then enable the anti-malware or anti-virus software.

In case of an error or issue during installation, refer to the best practices to upgrade Exchange to the latest Cumulative Update.

NOTE: To continue receiving Cumulative and Security Updates, you should always keep your Exchange environment to the currently supported version.

Conclusion

Although Microsoft regularly releases Cumulative and Security updates to patch Exchange Server vulnerabilities, this may not always be the case. In March 2021, more than 30,000 Exchange servers were compromised until Microsoft released the updates to patch the ProxyLogon vulnerability.

Thus, as an administrator, it’s your job to keep the servers safe from such malicious attacks. The best defense is to enable automatic updates. However, if the server has crashed due to such malicious attacks, you can use Exchange recovery software, such as Stellar Repair for Exchange, to recover mailboxes from the inaccessible databases.


About The Author

Ravi Singh

Ravi Singh is a Senior Writer at Stellar®. He is an expert Tech Explainer, IoT enthusiast, and a passionate nerd with over 5 years’ experience in technical writing. He writes about Data Recovery, File Repair, Email Migration, Linux, Windows, Mac, and DIY Tech. Ravi spends most of his weekends working with IoT devices and playing games on the Xbox. He is also a solo traveler who loves hiking and exploring new trails. 

Best Selling Products

Stellar Repair for Exchange

Software recommended by MVPs & Administr Read More

Stellar Toolkit for Exchange

5-in-1 suite of specialized tools, highl Read More

Stellar Converter for EDB

Stellar Converter for EDB is a professio Read More

Stellar Converter for OST

Powerful software trusted by Microsoft M Read More

Total
1
Shares
Leave a Reply

Your email address will not be published. Required fields are marked *

  −  4  =  4

Related Posts