[German]Microsoft has released security updates for Exchange Server 2013, Exchange Server 2016 and Exchange Server 2019 as of January 10, 2023. These security updates close two vulnerabilities (Elevation of Privilege and Spoofing) in this software. These updates should be installed on systems in a timely manner to close the vulnerabilities in question.
Advertising
Microsoft has published the Techcommunity post Released: January 2023 Exchange Server Security Updates with a description of the security updates.
Security updates are available for the following Exchange Server CU versions (links from Microsoft, some of which have downloads from August 2022 – but the KB articles are properly linked in the details).
- Exchange Server 2013 CU23, KB5022188 (support ends in April 2023)
- Exchange Server 2016 CU23, KB5022143
- Exchange Server 2019 CU11, CU12, KB5022193
Microsoft writes in the Techcommunity post that the January 2023 security updates fix vulnerabilities reported to Microsoft by security partners and found through Microsoft's internal processes. Details are not disclosed, I had posted the following details about the vulnerabilities in the blog post Microsoft Security Update Summary (January 10, 2023).
- CVE-2023-21763 und CVE-2023-2176: Microsoft Exchange Server Elevation of Privilege Vulnerabilities; Important, CVSSv3 Score7.8; Could grant SYSTEM privileges to an authenticated attacker. Microsoft has rated these vulnerabilities as "exploitation less likely" but has not provided an explanation.
- CVE-2023-21745 und CVE-2023-21762: Microsoft Exchange Server Spoofing Vulnerabilities, Important, CVSSv3 Score 8.0; CVE-2023-21745 can be exploited either over the local network or over the Internet – and has been rated Exploitation More Likely. CVE-2023-21762, on the other hand, is limited to a shared physical or local network or an "otherwise restricted administrative domain." Successful exploitation could lead to disclosure of New Technology LAN Manager (NTLM) hashes and NTLM relay attacks.
Microsoft writes that while there are no known active exploits in the wild, they recommend installing these updates immediately to protect Exchange installations.
Advertising
Note Microsoft's update installation instructions (so older CUs are dropped). It is recommended to enable Certificate Signing for PowerShell Serialization after installing the January 2023 security update. In addition, the Health Checker should be run to see if further action is required.
The patches cause a bug: once the update is installed on an Exchange Server 2016 or 2019, web page previews for URLs shared in OWA will not render correctly. Microsoft plans to fix this bug in a future update.
These vulnerabilities affect Exchange Server. Exchange Online customers are already protected from the vulnerabilities covered in these SUs and do not need to take any action other than updating all Exchange servers in their environment.
Similar articles:
Exchange Servers are attacked via 0-day exploit (Sept. 29, 2022)
Microsoft's recommendations for Exchange Server 0-day vulnerability ZDI-CAN-18333
Update on Exchange Server 0-day Vulnerability ZDI-CAN-18333: Fixes, Scripts and EMS Solution
Exchange Server: Microsoft updates it's mitigation for the 0-day ProxyNotShell vulnerability (October 5, 2022)
Exchange Server: Microsofts improves solutions for 0-day mitigation again (October 8, 2022)
Exchange Server security updates (November 8, 2022)
Ransomware attack responsible for Rackspace Exchange instance outage in Dec. 2022
Microsoft Exchange: New OWASSRF exploit method (ProxyNotShell) used by play ransomware
Is an Exchange ProxyNotShell disaster looming at the corner?
