[German]For administrators of Exchange Server 2013, 2016 and 2019, Microsoft has released the security updates for the current month as of November 9, 2021. Most relevantly, a Remote Code Execution (RCE) vulnerability CVE-2021-42321 is closed (was exploited at the Tianfu 2021 hacker contest). This is already being exploited by attackers in the wild – albeit on a limited scale – so prompt installation of the November 2021 security updates is advised.
The vulnerability CVE-2021-42321
Vulnerability CVE-2021-42321 is a remote code execution vulnerability in Exchange Server 2016 and 2019 that was demonstrated in a hack at the Tianfu 2021 Cup. I had reported about the competition in mid-October 2021 in the blog post Tianfu Cup 2021: Exchange 2019 and iPhone hacked. I do not have details about the vulnerability, just this: the flaw exists (according to Tenable) due to improper validation of command line arguments (cmdlet). Exploitation requires the attacker to authenticate. According to Microsoft, the vulnerability has probably been exploited in some cases.
The November 2021 updates
In the Techcommunity post Released: November 2021 Exchange Server Security Updates s, Microsoft has announced the release of security updates to close vulnerabilities for November 2021 as of 9/11/2021. The following updates are available:
As mentioned earlier, Microsoft writes that limited targeted attacks are known to exploit one of the vulnerabilities (CVE-2021-42321). It is a post-authentication vulnerability in Exchange 2016 and 2019, and Microsoft recommends installing these updates immediately to protect the on-premises Exchange environment.
In the tech community post, there is a reference to the following PowerShell command that can be used to check if an exploit was attempted on Exchange servers prior to patch installation.
Get-EventLog -LogName Application -Source "MSExchange Common" -EntryType Error | Where-Object { $_.Message -like "*BinaryFormatter.Deserialize*" }
If there is a hit in the log, this is an indication of exploitation. These vulnerabilities affect on-premises Microsoft Exchange servers, as well as servers used by customers in Exchange Hybrid mode. Exchange Online customers are already protected and do not need to take any action.
When installing manually, be sure to run the .msp packages from an administrative prompt. Otherwise, the installation will go wrong. For further questions (e.g. whether there are also updates for older CUs, or the hint about WSUS problems with the CU for Exchange 2013), consult the Techcommunity post.
Similar articles:
Security updates for Exchange Server (July 2021)
Cumulative Exchange CUs June 2021 released
Exchange Server Security Update KB5001779 (April 13, 2021)
Exchange isues with ECP/OWA search after installing security update (March 2021)
Exchange security updates from July 2021 breaks ECP and OWA
Exchange 2016/2019: Outlook problems due to AMSI integration
Wave of attacks, almost 2,000 Exchange servers hacked via ProxyShell
Exchange Server 2016-2019: Custom attributes in ECP no longer updatable after CU installation (July 2021)
Exchange Server: Authentication bypass with ProxyToken
Exchange vulnerabilities: Will we see Hafnium II?
Exchange 2016/2019: Outlook problems due to AMSI integration
Exchange Server September 2021 CU comes Sept. 28 with Microsoft Exchange Emergency Mitigation Service
Exchange Server September 2021 CU (2021/09/28)
Security updates for Exchange Server (October 2021)
Tianfu Cup 2021: Exchange 2019 and iPhone hacked
Babuk gang uses ProxyShell vulnerability in Exchange for ransomware attacks