[German]Microsoft has announced on May 11, 2021 – the expected (see Is a hotfix for Microsoft Exchange coming today? (May 11, 2021)) Security updates released for Exchange Server 2013, Exchange Server 2016 and Exchange Server 2019. This is to immediately close a Microsoft Exchange Server spoofing vulnerability (CVE-2021-31209). Security update KB5003435 is available for download from the Microsoft Update Catalog.
Spoofing vulnerability (CVE-2021-31209)
As part of the Pwn2Own 2021 hacking contest (6-8.4-2021), three Exchange exploits were presented at once. I had already warned about these Exchange vulnerabilities in the April 2021 blog post PSA: Watch your Exchange Patch status – 0 day vulnerabilities found, is the next Exchange disaster in sight? and expected that they would be closed on the April 2021 patchday. But wasn't the case, as Microsoft had to patch several Exchange vulnerabilities reported internally by the NSA in April. .
Now, however, Microsoft has released security updates for the spoofing vulnerability (CVE-2021-31209) on May 11, 2021. To that end, Microsoft writes that this is one of the Exchange Server vulnerabilities found in the 2021 Pwn2Own contest. Redmond rates the exploitability of the vulnerability as low, and also states that there are no known exploits in the wild. However, the vulnerability has received a score of 6.5 and is classified as Important. Immediate installation of security updates is strongly recommended.
Exchange vulnerabilities addressed in May 2021
According to this ZDI blog post, the vulnerabilities listed in the following overview were closed in Exchange in May 2021:
- CVE-2021-31207: Microsoft Exchange Server Security Feature Bypass Vulnerability, Moderate, 6.6, disclosed
- CVE-2021-31195: Microsoft Exchange Server Remote Code Execution Vulnerability, Important, 6.5
- CVE-2021-31198: Microsoft Exchange Server Remote Code Execution Vulnerability, Important, 7.8
- CVE-2021-31209: Microsoft Exchange Server Spoofing Vulnerability, Important, 6.5 (siehe oben)
With the exception of the first vulnerability, these are not publicly known. The security update KB5003435 to fix these vulnerabilities is available in the Microsoft Update Catalog.
May 2021 Exchange Server Security Updates
Microsoft provides an overview of the May 11, 2021 security updates for Exchange Server in this Technet post. Security updates to close found vulnerabilities are available for the following products:
- Exchange Server 2013
- Exchange Server 2016
- Exchange Server 2019
These updates are available for the following specific builds of Exchange Server:
The May 2021 Exchange Server security updates address vulnerabilities reported by security partners and found through Microsoft's internal processes. Although Microsoft is not aware of any active exploits in the wild, the company recommends installing these updates immediately to protect the Exchange environment.
These vulnerabilities affect on-premises Microsoft Exchange servers, as well as servers used by customers in Exchange Hybrid mode. Exchange Online customers are already protected and do not need to take any action. More details on each CVE can be found in theSecurity Update Guide (set filter under Product Family to Exchange Server). Before installing, go through the details mentioned in the Technet article as well as the known issues section of this article.
Similar articles:
Exchange isues with ECP/OWA search after installing security update (March 2021)
Exchange Server Security Update KB5001779 (April 13, 2021)
PSA: Watch your Exchange Patch status – 0 day vulnerabilities found, is the next Exchange disaster in sight?
PoC for Microsoft Exchange bug discovered by NSA public
Is a hotfix for Microsoft Exchange coming today? (May 11, 2021)