Exchange 2010 – 2019 Security Updates

In der heutigen „Guten Morgen Lektüre“ begrüßten mich die Exchange Security Updates zuerst im MCSEBoard in diesem Thread (Exchange Security Fixes – MS Exchange Forum – MCSEboard.de) und meine RSS Feeds meldeten glatt den identischen Blog Eintrag vom Exchange Team.

Es wurden insgesamt vier Security Updates für die Exchange Server Versionen von 2010 bis 2019 veröffentlicht:

• Exchange Server 2010 (for Service Pack 3 – this is a Defense in Depth update)
• Exchange Server 2013 (CU 23)
• Exchange Server 2016 (CU 19, CU 18)
• Exchange Server 2019 (CU 8, CU 7)

Im Exchange Team Blog findet sich auch gleich 2x der Hinweis, doch bitte „immidietly“ zu patchen:

Because we are aware of active exploits of related vulnerabilities in the wild (limited targeted attacks), our recommendation is to install these updates immediately to protect against these attacks.

…

The last Exchange 2016 and Exchange 2019 CU’s were released in December of 2020. Are new CU’s releasing in March 2021?

We are still on schedule to release Exchange Server 2016 CU 20 and Exchange Server 2019 CU 9 in March 2021 and those CUs will contain the Security Updates mentioned here (along with other fixes). Our strong recommendation is to install security updates immediately.

Released: March 2021 Exchange Server Security Updates – Microsoft Tech Community

Weitere Technische Details und Hinweise findet man auf folgender Microsoft Seite: HAFNIUM targeting Exchange Servers with 0-day exploits – Microsoft Security

Technical details

Microsoft is providing the following details to help our customers understand the techniques used by HAFNIUM to exploit these vulnerabilities and enable more effective defense against any future attacks against unpatched systems.

CVE-2021-26855 is a server-side request forgery (SSRF) vulnerability in Exchange which allowed the attacker to send arbitrary HTTP requests and authenticate as the Exchange server.

CVE-2021-26857 is an insecure deserialization vulnerability in the Unified Messaging service. Insecure deserialization is where untrusted user-controllable data is deserialized by a program. Exploiting this vulnerability gave HAFNIUM the ability to run code as SYSTEM on the Exchange server. This requires administrator permission or another vulnerability to exploit.

CVE-2021-26858 is a post-authentication arbitrary file write vulnerability in Exchange. If HAFNIUM could authenticate with the Exchange server then they could use this vulnerability to write a file to any path on the server. They could authenticate by exploiting the CVE-2021-26855 SSRF vulnerability or by compromising a legitimate admin’s credentials.

CVE-2021-27065 is a post-authentication arbitrary file write vulnerability in Exchange. If HAFNIUM could authenticate with the Exchange server then they could use this vulnerability to write a file to any path on the server. They could authenticate by exploiting the CVE-2021-26855 SSRF vulnerability or by compromising a legitimate admin’s credentials.

HAFNIUM targeting Exchange Servers with 0-day exploits – Microsoft Security

Microsoft hat den Blog Artikel (HAFNIUM targeting Exchange Servers with 0-day exploits – Microsoft Security) aktualisiert und ein PowerShell Script auf Github bereitgestellt, um die „HAFNIUM IOCs“ zu checken: https://github.com/microsoft/CSS-Exchange/tree/main/Security

Update [03/04/2020]: The Exchange Server team released a script for checking HAFNIUM indicators of compromise (IOCs). See Scan Exchange log files for indicators of compromise.

…

Scan Exchange log files for indicators of compromise

The Exchange Server team has created a script to run a check for HAFNIUM IOCs to address performance and memory concerns. That script is available here: https://github.com/microsoft/CSS-Exchange/tree/main/Security.

HAFNIUM targeting Exchange Servers with 0-day exploits – Microsoft Security

Hier findet sich noch eine „Out of Band Key Info“ von Microsoft: https://aka.ms/ExOOB

Gestern (am 08.03.2021) hat Microsoft auf dem Exchange Team Blog angekündigt, dass auch Updates für ältere, unsupportete Versionen von Exchange Server 2019 und 2016 bereitgestellt werden: March 2021 Exchange Server Security Updates for older Cumulative Updates of Exchange Server – Microsoft Tech Community

Neben den Fixes für Exchange Server 2019 CU8 / 7, Exchange Server 2016 CU19 / 18 und Exchange Server 2013 CU23 werden nun auch die folgenden CUs versorft:

Version Updated on 3/8/21 PST
Download Security Update For Exchange Server 2016 Cumulative Update 14 (KB5000871)
Download Security Update For Exchange Server 2016 Cumulative Update 15 (KB5000871)
Download Security Update For Exchange Server 2016 Cumulative Update 16 (KB5000871)
Download Security Update For Exchange Server 2019 Cumulative Update 4 (KB5000871)
Download Security Update For Exchange Server 2019 Cumulative Update 5 (KB5000871)
Download Security Update For Exchange Server 2019 Cumulative Update 6 (KB5000871)

Description of the security update for Microsoft Exchange Server 2019, 2016, and 2013: March 2, 2021 (KB5000871)

Zusätzlich wurde gestern Nacht noch ein weiteres PowerShell Script (CompareExchangeHashes.ps1) auf GitHub (CSS-Exchange/Security at main · microsoft/CSS-Exchange · GitHub) veröffentlicht, um die Hashes in den virtuellen Verzeichnissen der Exchange Installation zu überprüfen.