Exchange Server Security Updates (August 8, 2023)

Exchange Logo[German]Microsoft has released security updates for Exchange Server 2016 and Exchange Server 2019 as of August 8. These security updates close vulnerabilities in this software. The updates are intended to be installed on systems in a timely manner to address the vulnerabilities in question.


Advertising

I came across the following tweet from the Exchange team on Twitter regarding the security updates for Exchange Server 2016 and Exchange Server 2019.

Exchange August 2023 Updates

Microsoft has published the Techcommunity post Released: August 2023 Exchange Server Security Updates with a description of the security updates. Security updates are available for the following Exchange Server CU versions.

  • Exchange Server 2016 CU23
  • Exchange Server 2019 CU12 and CU13

SUs are available as self-extracting .exe packages as well as original update packages (.msp files), and can be downloaded from the Microsoft Update Catalog. Microsoft writes in the Techcommunity post that the security updates address vulnerabilities reported to Microsoft by security partners and found through Microsoft's internal processes. No details about the vulnerabilities were provided. In the blog post Microsoft Security Update Summary (August 8 , 2023), I had stated the following in this regard.

  • CVE-2023-38181CVE-2023-38185CVE-2023-35368CVE-2023-38182CVE-2023-35388, Microsoft Exchange Server vulnerabilities; CVEv3 Score 8.0 – 8.8 , important; An authenticated attacker can execute code via a PowerShell remoting session by exploiting these vulnerabilities (classified as low probability). To successfully exploit this vulnerability, the attacker would first need to have LAN access and valid credentials for an Exchange user..
  • CVE-2023-35359CVE-2023-35380CVE-2023-35382CVE-2023-35386CVE-2023-38154, Windows Kernel Elevation of Privilege (EP) vulnerabilities; CVEv3 Score 7.8 , important; A local, authenticated attacker could exploit this vulnerability to gain SYSTEM privileges. Four of the five vulnerabilities are attributed to Google Project Zero researchers. Four vulnerabilities are rated Exploitation More Likely and CVE-2023-38154 is rated Exploitation Unlikely.

Although Microsoft is not aware of any active exploits in the wild, it is recommended that you install these updates immediately as a safeguard. Take note of Microsoft's update installation instructions, and what else to look out for. Here is the list of fixed issues:

DST settings are inaccurate after an OS update

Issues related to the security updates are indicated as follows:


Advertising

Customers impacted by the upcoming Microsoft 365 AES256-CBC encryption change need to perform a manual action to enable new encryption algorithm after August 2023 SU is installed. Please see this KB article. We will remove the requirement for manual action in a future update.

Addendum: But there are first hints that the update installation fails on Exchange servers because services don't start anymore. An admin pointed me on Facebook to his workaround in the form of a PS1 script, which he posted under the alias bloodking in the comments on the Exchange blog (thanks for that). According to Microsoft, the Health Checker should be run after installation to see if any further action is required.

Addenum 2: There is a workaround proposed by Microsoft to overcome the install issues on non english systems – see Workaround for Exchange August 2023 security update install issue.

These vulnerabilities affect Exchange Server. Exchange Online customers are already protected from the vulnerabilities covered in these SUs and do not need to take any action other than updating all Exchange servers in their environment.

Similar articles:
Microsoft Security Update Summary (August 8, 2023)
Patchday: Windows 10 Updates (August 8, 2023)
Patchday: Windows 11/Server 2022 Updates (August 8, 2023)
Windows 7/Server 2008 R2; Server 2012 R2: Updates (August 8, 2023)
Microsoft Office Updates (August 8, 2023)


Cookies helps to fund this blog: Cookie settings
Advertising


This entry was posted in Security, Software, Update and tagged , , , . Bookmark the permalink.

Leave a Reply

Your email address will not be published. Required fields are marked *