[German]Brief information for administrators of Microsoft Exchange servers who have yet to install the March 2021 security update. The security update released this week by Microsoft for Microsoft on-premise Exchange servers (2010 to 2019) is indeed intended to close four vulnerabilities used for attacks. The update has caused malfunctions in one case (ECP stops running and OWA search goes on strike). I am posting the information for administrators here on the blog to help troubleshoot for those affected.
Security update for Exchange server 0-day exploits
I had addressed it on March 3, 2021 in the blog post Exchange server 0-day exploits are actively exploited. There are four vulnerabilities CVE-2021-26855, CVE-2021-26857, CVE-2021-26858 and CVE-2021-27065 in Microsoft on-premise Exchange Server versions 2010 through 2019 that are being exploited by the suspected state-affiliated Chinese hacker group HAFNIUM for targeted attacks. The vulnerabilities allow remote code execution (RCE) and Exchange server takeover or information siphoning.
Microsoft has released security updates for the on-premise variants of Exchange Server (2010 to 2019) to close these vulnerabilities. Since Exchange 2010, which has long since fallen out of support, is also receiving a patch, it underscores that Microsoft classifies the situation as critical. Initial feedback on my German blog confirms that this cumulative update can probably be installed largely without collateral damage. However, an administrator has reported on Facebook that he noticed problems after the installation.
Exchange Control Panel (ECP) fails
Shortly after my post, German administrator Flo A. got in touch with me on Facebook and mentioned "After the update the ECP is no longer running, just looking for the error". The abbreviation ECP stands for Exchange Control Panel. Administrator Oliver H. pointed out that there could be various causes for the ECP failing to load. A web search brings up various hits (like here or this). Oliver confirmed that he had found four errors on several systems around the installation of the cumulative security update for Exchange (probably 2016). He then posted two articles about the ECP not loading, which address an incorrect path for the components as the cause:
- Exchange Server 2016 unable to load ECP or PowerShell after updating certificate
- Exchange 2016: Serverfehler in Anwendung (OWA und/oder ECP) (German)
Using these articles, the administrator did manage to get ECP reloaded under Exchange. However, the display was then faulty, but this was covered by Phillipp Hungerbühler in the German article Und wieder hinterlässt ein fehlerhafter Exchange Update eine halblebige Umgebung. The German admin Flo, that has contacted me on Facebook then gave the feedback that a wrong value in the variable BinSearchFolders was adjusted and ECP worked again.
OWA search no longer works
After the Exchange Control Panel (ECP) reloaded and provided a correct display, Oliver H. still had to deal with the problem that Outlook Web App search (OWA search) was on strike. About this he writes:
And finally, the search in OWA and Outlook stopped working.
The setup simply set my "Microsoft Search Host Controller" service to disabled.
After reactivating and starting the service, the search worked again.
Are all no big things, if you know where to look. But it seems that the cumulative Exchange security update can cause problems on some systems. Maybe it helps those affected – you can leave feedback if you like. Thanks to Flo and Oliver for the feedback on Facebook.
Addendum: The issues outlined above has been covered now by Microsoft, see my blog post Important notes from Microsoft regarding the Exchange server security update (March 2021)