Exploitation of Exchange Server Vulnerability – Notes from the Field P1

Note: this post may get updated; please keep checking back. Last update: 3/7/2021

Microsoft, on the very same day of its global event “Ignite 2021” made its headlines globally over a zero-day out of band patch release. The security update was a fix to multiple critical Exchange Server vulnerabilities. At the time of initial information disclosure it was not aware how long the vulnerabilities were known in the wild. However, the MSTIC or the Microsoft Security and Threat Intelligence Center reported the campaign was largely carried out by a state sponsored group “Hafnium”.

Microsoft did make the announcement very clear to it’s partners and customers. Simply, it’s about patching all your on-premise Exchange servers as soon as possible. The vulnerabilities were identified as CVE-2021-26855, CVE-2021-26857, CVE-2021-26858, and CVE-2021-27065. It was also disclosed that Exchange Server versions 2010, 2013, 2016 and 2019 were affected.

However, there was a caveat, behind the updates. You can only patch your servers if you have “a supported version of Exchange Server” only. So what does it mean? Let’s talk about it now. Microsoft in its product lifecycle clearly states specially in terms of Exchange Server that the current version (n) and the immediate previous version (n-1) will be the only supported version unless told. For customers who keep a habit of updating their servers regularly, this is not much of a problem. But if you are to deal in an environment where you are not in a supported version, and more to that haven’t updated since installing your Exchange in the very beginning, it’s going to be some tough nights for you and your IT team.

The vulnerabilities targets your internet facing Client Access Servers. However, Microsoft highly recommends that you install updates on all of your Exchange Servers immediately even if they are;

  • Internet facing
  • Non-internet facing
  • Hybrid servers
  • Behind a proxy or WAF solution

PATCH YOUR SERVERS!!!

During my walk through on how to install these updates, I will be taking in two scenarios. For your ease, here’s a flowchart on the highlights.

  • Exchange Updated with the latest public build
  • Exchange Not-updated with the latest supported build

If you are not quite sure to which category you belong to, use the below table to identify if you have the latest build.

Exchange Server Version Exchange PowerShell Command Supported build number Download the Supported Build
Exchange Server 2010
Get-Command ExSetup | ForEach {$_.FileVersionInfo}
14.3.123.4 and above Exchange Server 2010 SP3
Exchange Server 2013
Get-ExchangeServer | Format-List Name,Edition,AdminDisplayVersion
15.0.1497.2 and above Exchange Server 2013 CU23
Exchange Server 2016
Get-ExchangeServer | Format-List Name,Edition,AdminDisplayVersion
15.1.2106.2 and above Exchange Server 2016 CU19
Exchange Server 2019
Get-ExchangeServer | Format-List Name,Edition,AdminDisplayVersion
15.2.792.3 and above Exchange Server 2019 CU8

Exchange Updated with the latest public build

You are in a supported build number and that means things will be easy for you. Let’s go through the steps one by one. Thankfully Microsoft only released one patch that addresses all the four vulnerabilities. This means less installation and reboots.

When the security experts are emphasizing on this its for your own good that you might want to call your teams and get this done right away with some severe convincing to your management if they are reluctant. Afterall, explaining why you are taking a few hours of downtime is far more better than explaining why your company data is out on the dark web.

  1. Pre-requisites. Make sure you do these.
    1. Backup your Exchange Servers.
  2. Download the correct patch file based on your Exchange Server version
Exchange Server Version Exchange PowerShell Command
Exchange Server 2010 (SP 3 or above) KB5000978
Exchange Server 2013 CU 23 KB5000871
Exchange Server 2016 CU 18 KB5000871
Exchange Server 2016 CU 19 KB5000871
Exchange Server 2019 CU 7 KB5000871
Exchange Server 2019 CU 8 KB5000871

  1. Open up a command prompt as Administrator.
  2. Navigate to the path where you downloaded the patches.
  3. Type in the name of the .msp file, and then press Enter.
  4. If you require any pre-requisites, you will be notified.
  5. Once your installation is completed, you may be asked to restart the server. In case you are not prompted to, still it’s better to restart the server.
  6. Repeat the above steps for all your remaining Exchange Servers.

Exchange Not-updated with the latest public build

There’s going to be a few additional steps that you will have to carry out if your Exchange Server is not in the supported list as highlighted above. So the very first thing you need to do is to bring the server to the latest supported build.

Update servers to the latest build

  1. Pre-requisites. Make sure you do these.
    1. Backup your Exchange Servers.
    2. Backup your customized themes, logos etc. (Customize the Outlook on the web sign-in, language selection, and error pages in Exchange Server | Microsoft Docs)
  2. Exchange latest CUs may require the latest .NET version. So you need to verify if your current .NET version (how to find my .NET version?) is different from the supported .NET versions as highlighted below, you need to download the latest supported .NET Framework and install it before proceeding.

    More details – Exchange Server supportability matrix | Microsoft Docs

  3. Once you’re done, my personal advice is to compile the .NET binaries before the CU update. The reason why I’m saying this is I’ve seen multiple times that not doing so makes the installation time go through several hours and doing so drastically reduced the time of the installation. To do that;
    1. Open up command prompt and run as administrator.
    2. Navigate to “C:\Windows\Microsoft.NET\Framework\v4. 0.30319\”
    3. Run “ngen.exe update” (without quotes)

    Note: this will run for a while and will give you various outputs on the command prompt, don’t worry you can ignore them all.

  4. Once the compile is run, exit the command prompt.
  5. Download the correct update binaries based on your Exchange Server version
Exchange Server Version Exchange PowerShell Command
Exchange Server 2010 (SP 3 or above) KB5000978
Exchange Server 2013 CU 23 KB5000871
Exchange Server 2016 CU 18 KB5000871
Exchange Server 2016 CU 19 KB5000871
Exchange Server 2019 CU 7 KB5000871
Exchange Server 2019 CU 8 KB5000871

  1. Run the setup and extract to a location on your computer.
  2. Open up a command prompt as Administrator.
  3. Navigate to the path where you downloaded and extracted the update files.
  4. Prepare your Active Directory
    1. Run “E:\Setup.exe /IAcceptExchangeServerLicenseTerms /PrepareSchema” to extend the Active Directory schema.
    2. Run “E:\Setup.exe /IAcceptExchangeServerLicenseTerms /PrepareAD” to extend the AD.
  5. Run “SETUP.EXE” to start Exchange CU update.
  6. Go through the Exchange Update Wizard.
  7. Once your installation is completed, restart the server.
  8. Repeat the above steps for all your remaining Exchange Servers.
  9. Once you have completed updating all your servers to the latest supported Exchange Server build, continue with the steps mentioned in the “Exchange Updated with the latest public build”

Keep us posted on any errors you come across. Happy updating fellas!!

Advertisement

3 Comments

  1. Hi there, under ‘Exchange Not-updated with the latest public build’ you have step 5. as ‘Download the update binaries…’. Should this step not be something like ‘Mount the Exchange CU install ISO to E: drive’?? And then following steps are to update Exchange. Only after that has been done (and server restarted), should the update binaries be installed, which you already have referenced in the ‘Exchange Updated with the latest public build’ section.

    Reply

    1. Hi Dave, what I actually meant by ‘update binaries’ was the Exchange CU installer. The CUs will be in MSP format and you’ll need to extract them to any given location where then you will be installing.
      Once CU’s installed and your Exchange build is updated, then you run the ‘Exchange Updated with the latest public build’. Sorry for the confusion over binaries and CU installer.

      Reply

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s