Keep on Patching
Fifteen weeks on from the Hafnium fiasco, I hope those responsible for Exchange Server maintenance haven’t forgotten the need to keep their on-premises fully patched and up to date. Microsoft has released security updates to address issues like the remote code vulnerability reported in CVE-2021-34473 and CVE-2021-31206. The updates apply to:
- Exchange Server 2013 CU23.
- Exchange Server 2016 CU20 and CU21.
- Exchange Server 2019 CU9 and CU10.
All servers, including those used for hybrid account management, must be updated.
Obviously, if you haven’t updated Exchange Server to one of the releases updated above, some extra effort is necessary to get to a suitable build.
Like taking a second vaccination dose to protect against Covid-19, full protection isn’t assured unless you also apply an Active Directory schema update. If you’re running Exchange 2016 CU21 or Exchange 2019 CU10, you’re already protected. Those running Exchange 2016 CU20 or Exchange 2019 CU9 need to extend the schema using the June 2021 cumulative updates.
For Those Running Exchange 2013
While Exchange 2016 and 2019 received schema updates through cumulative updates, Exchange 2013 was not updated in June 2021. Special processing is therefore needed for Exchange 2013 servers when Exchange 2013 is the latest server version in the organization (if it’s not, the schema updates are done when cumulative updates are applied to Exchange 2016 or 2019).
- Go ahead and install the security update for Exchange 2013 CU23. This leaves some updates schema files on the server but does not install them. Microsoft uses the security update to distribute the schema files to servers in the absence of a cumulative update.
- When you’re ready to extend the schema, run Setup.exe to perform the update (/prepareschema from v15\Bin). Setup will use the updated schema files left by the security update to apply the changes to Active Directory.
As always make sure that you apply Exchange server updates using an administrator account with elevated permissions.
Block the Attackers
One of the lessons we learned from Hafnium is how easy it is for attackers to exploit new weaknesses discovered in on-premises servers. The imperative is for administrators to stay on top of problems by installing security updates as soon as possible after Microsoft releases code. If you don’t, your servers might be on the target list for the next attack, and that wouldn’t be nice.