Exchange “Zero Day” Critical Security Patch

At the beginning of the month, Microsoft identified zero-day vulnerabilities in on-premise Exchange Servers, which are being exploited by a nation-state affiliated group.

https://www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers/

On-premises Exchange Servers 2010, 2013, 2016, and 2019 are affected, not Exchange Online.

An Exchange “Zero Day” Critical Security Patch has been released and many organisations have now applied it. For those that haven’t, Microsoft highly recommends that you take immediate action to apply the patches for any on-premises Exchange deployments you have. The first priority should be servers which are accessible from the Internet (e.g., servers publishing Outlook on the web/OWA and ECP).

Below are listed steps and resources from Microsoft to help you protect your on-premise Exchange environment. However, if you would like our help, especially if your Exchange servers haven’t been kept up-to-date which can make patching more difficult, please get in touch asap.

Steps to patch your Microsoft Exchange Servers

1. Move to the latest Exchange Cumulative Updates
2. You can use the Exchange Server Health Checker script, which can be downloaded from GitHub (use the latest release).
3. Running this script will tell you if you are behind on your on-premises Exchange Server updates (note that the script does not support Exchange Server 2010).
4. We also recommend that your security team assess whether or not the vulnerabilities were being exploited by using the Indicators of Compromise we shared here.

Cumulative Update Installation (Best Practice)

1. Reboot the server before upgrade.
2. Test Upgrade on non production (if available).
3. Have a tested & working backup of both AD and Exchange.
4. Use an elevated command prompt to run the Cumulative Update.
5. Temporarily disable any anti-virus software during the update process.
6. Download the EXE or ISO (see links from the first section)
7. Run the setup.exe (run as administrator double click or from CMD)
   • Select either check for updates. / don’t check for updates subject to your requirement.
   • Select Upgrade, Agree to the license terms, complete the readiness checks.
   • Install.
8. Reboot the server post upgrade.
9. Verify the upgrade:
   • “Get-ExchangeServer” 
   • “Get-ExchangeServer -Identity Mailbox01 | Format-List”
   • Review setup log on C:
   • Control Panel, Programs and Features, Look under Installed Updates and check the update is installed.

Exchange patch information

• March 2, 2021 Security Update Release – Release Notes – Security Update Guide – Microsoft
• CVE-2021-26855 | Microsoft Exchange Server Remote Code Execution Vulnerability (public)
• CVE-2021-26857 | Microsoft Exchange Server Remote Code Execution Vulnerability (public)
• CVE-2021-26858 | Microsoft Exchange Server Remote Code Execution Vulnerability (public)
• CVE-2021-27065 | Microsoft Exchange Server Remote Code Execution Vulnerability (public)

The importance of installing those updates!

Although hundreds of millions of Exchange mailboxes now run in Exchange Online, a substantial number remain on-premises. Many large organisations run hybrid deployments and keep some mailboxes on-premises.

When vulnerabilities like the one above are identified, it can be tricky to apply patches when servers have not been kept up-to-date. As a result you may have to get support from an external party to ensure your environment is secure. So when an update becomes available, install it.

You could also ask your IT service provider to support your Exchange environment. They will do this job for you, ensuring you’re always up-to-date.

It may also be the time to consider whether you should be running on-premise Exchange servers. Moving to the cloud and Exchange Online will reduce the risk of these kinds of attacks.

3 reasons to move email to the cloud

• The increasing sophistication of attack. This vulnerability now has a patch, but don’t expect attackers to
• Multifactor authentication. Moving email workloads to the cloud supports better user-level defence through multifactor authentication and use of conditional access policies.
• More functionality with Exchange Online. On-premises Exchange is not a big focus for Microsoft any longer. Instead Exchange Online gets all the attention. It’s part of the full Microsoft 365 experience, integrating with Teams, OneDrive, SharePoint, Planner etc. with more features and delivering a collaborative modern workplace experience.

If you would like to discuss migrating to Exchange Online, please get in touch. You may also like to read our case study on how we migrated 22,000 mailboxes for Solent University, click here >