[German]Numerous on-premises Microsoft Exchange servers operating around the world are insecure because they are not up to date with the latest patches. This exposes the systems to risk, and it is critical to run unpatched Exchange servers. In a Jan. 26 Techcommunity article, the Microsoft Exchange team addresses this issue and urges administrators to patch systems urgently and immediately so that the latest January 2023 security update is installed.
Unpatched Exchange servers as a risk
Attackers are constantly scanning the Internet looking for unpatched Exchange servers in on-premises environments. Globally, there are too many unpatched on-premises Exchange environments that are valuable to malicious actors looking to exfiltrate data or commit other malicious acts.
- The mailboxes of users of hacked Exchange instances often contain important and sensitive data.
- Each Exchange server contains a copy of the corporate address book with a lot of information that is useful for social engineering attacks.
- In addition, Exchange has deep Active Directory links and permissions within. In a hybrid environment, that includes access to the connected cloud environment.
AAdministrators must therefore protect their Exchange servers from attacks that exploit known vulnerabilities. To do this, the latest CUs as well as the latest security updates must be installed.
Microsoft suggests patching
Microsofts Microsoft Exchange team has published a techcommunity article Protect Your Exchange Servers about this as of January 26, 2023. I became aware of it via the tweet and this article from colleagues at Bleeping Computer.
A current system must have the latest CUs installed to close known vulnerabilities. Currently, these are CU12 for Exchange Server 2019 (4.2022), CU23 for Exchange Server 2016 (4.2022) and CU23 for Exchange Server 2013 (3.2021). In addition, the latest security update for the supported Exchange Servers must be installed. After all, the last time security updates for supported Exchange Servers were released was on January 10, 2023 (see Exchange Server Security Updates (January 10, 2023)).
Exchange Server CUs and SUs are cumulative, so only the latest available CU needs to be installed. First, install the latest CU on the servers in question. Then check to see if any additional SUs were released after the CU was released. If this is the case, the latest security update (SU) must be installed.
It happens time and again that vulnerabilities become known before a security update (SU) has been released. To mitigate known vulnerabilities, either the EExchange Emergency Mitigation Service (takes the action automatically) can be used before releasing a SU. Or the administrator apply the Exchange On-Premises Mitigation Tool on the affected on-premises server.
These measures provide temporary protection until the security update (SU) is available and can be installed. In some cases, the mitigation measures may not be sufficient to protect against all variants of an attack. Indeed, such cases have been more frequent in recent years, where Microsoft has had to rework the mitigation methods for known vulnerabilities several times. Therefore, the installation of a suitable SU (according to availability) is the only way to protect Exchange Server.
After installing an update, there may be manual tasks that an administrator must perform, Microsoft writes. Redmond recommends always running Health Checker after installing an update. This checks if such tasks are pending and Checker provides links to articles that provide step-by-step instructions on how to perform the tasks. In the Techcommunity article, Microsoft believes that updating Exchange servers is quite simple (administrators are more likely to have alternative experiences) and offers the following advice:
- Always read our blog posts that list known issues and recommended or required manual actions. For CUs, always follow Microsoft's guidance and best practices, and for SUs, use the Security Update Guide to find relevant information.
- Be sure to read our FAQ on updates in the article Why Exchange Server Updates Matter.
- Use the Exchange Server Health Checker to inventory your servers and determine which Exchange servers need updates (CUs or SUs) and whether manual action needs to be taken.
- Once you know which updates are required, use the Exchange Update Step-by-Step Guide (also known as the Exchange Update Wizard) to select the currently running CU and the target CU and get instructions for updating your environment.
- If errors occur during the update installation, the SetupAssist script can help troubleshoot them. And if something doesn't work properly after the update, take a look at the Update Troubleshooting Guide, which covers the most common problems and how to fix them.
- Ensure that you install all required updates for Windows Server and other software that may be running on your Exchange servers.
- Ensure that you install all required updates for dependent servers, including Active Directory, DNS, and other servers used by Exchange.
So according to Microsoft everything is quite simple. An administrator once said: "Trembling after the Exchange update is trembling before the next security update".
Exchange Server Security Updates (January 10, 2023)
Microsoft Exchange January 2023 patchday issues
Exchange isues with ECP/OWA search after installing security update (March 2021)
Exchange 2016/2019: Outlook problems due to AMSI integration
Exchange Server September 2021 CU comes Sept. 28 with Microsoft Exchange Emergency Mitigation Service
Exchange Server 2016-2019: Custom attributes in ECP no longer updatable after CU installation (July 2021)
Microsoft advises end of support for Exchange Server 2013 on April 11, 2023
Microsoft Exchange survey to improve the update process (auto update)
Exchange 2019: Does the January 2023 SU with CU 12 trigger the index problem again?
Cookies helps to fund this blog: Cookie settings