[German]Microsoft has released security updates for Exchange Server 2013, Exchange Server 2016 and Exchange Server 2019, effective October 11, 2022. These updates are intended to address vulnerabilities reported by external security partners or found by Microsoft. However, the 0-day vulnerabilities (ProxyNotShell) that have been known since late September 2022 will not be fixed.
Advertising
Microsoft has published the Techcommunity post Released: October 2022 Exchange Server Security Updates with a description of the security updates.
Security updates are available for the following Exchange Server CU versions.
Microsoft does not mention in the Techcommunity post which vulnerabilities are closed. However, German blog reader Olli cites several CVEs from August 2022 CUs in this comment. This has also been noted in the user comments on the Exchange team's Techcommunity post. The following CVEs, which were already addressed in the August 2022 update, are included (there seems to have been a re-release).
- Microsoft Exchange Information Disclosure Vulnerability (CVE-2022-21979)
- Microsoft Exchange Server Elevation of Privilege Vulnerability (CVE-2022-21980)
- Microsoft Exchange Server Elevation of Privilege Vulnerability (CVE-2022-24516)
- Microsoft Exchange Server Elevation of Privilege Vulnerability (CVE-2022-24477)
- Microsoft Exchange Information Disclosure Vulnerability (CVE-2022-30134)
As mentioned at the beginning, the 0-day vulnerabilities (ProxyNotShell) that have been known since the end of September 2022 are not eliminated, howeverNote that the Exchange servers are updated to the current CU before the October 2022 updates are installed (see the graphic above and the note from Microsoft). Microsoft's HealthChecker PowerShell script can be used to check.
Advertising
These vulnerabilities affect Exchange Server. Exchange Online customers are already protected from the vulnerabilities covered in these SUs and do not need to take any action other than updating all Exchange servers in their environment.
Enable Windows Extended Protection
In an addendum, Microsoft notes that to fix some vulnerabilities closed in August/October 2022, administrators must enable (Windows Extended protection) on their Exchange servers (in IIS). Microsoft provides a script to enable this feature (the latest version can be found here). Before activating Extended Protection (EP) on production systems, you should check if the requirements are met. The activation of Extended Protection (EP) is only supported by certain Exchange versions. Problem will also become the numerous "Known Issues" that are mentioned in the prerequisites.
Similar articles:
Exchange Server Security updates (August 9, 2022)
Exchange Update errors and information (April 13, 2021)
Exchange isues with ECP/OWA search after installing security update (March 2021)
Exchange 2016/2019: Outlook problems due to AMSI integration
Exchange Server September 2021 CU comes Sept. 28 with Microsoft Exchange Emergency Mitigation Service
Exchange Server 2016-2019: Custom attributes in ECP no longer updatable after CU installation (July 2021)
Exchange Server 2013: Microsoft's tips on decommissioning the systems
Update for Exchange Extended Protection script, but still error
Tip: Exchange Health Checker – Script extensions by Frank Zöchling
Exchange Servers are attacked via 0-day exploit (Sept. 29, 2022)
Microsoft's recommendations for Exchange Server 0-day vulnerability ZDI-CAN-18333
Update on Exchange Server 0-day Vulnerability ZDI-CAN-18333: Fixes, Scripts and EMS Solution
Exchange Server: Microsoft updates it's mitigation for the 0-day ProxyNotShell vulnerability (October 5, 2022)
Exchange Server: Microsofts improves solutions for 0-day mitigation again (October 8, 2022)
Exchange Server: New 0-day (not NotProxyShell, CVE-2022-41040, CVE-2022-41082)
