Note: this post is getting frequent updates; please keep checking back. Last update: 3/10/2021
Microsoft has released a set of out of band security updates for vulnerabilities for the following versions of Exchange Server:
- Exchange Server 2013
- Exchange Server 2016
- Exchange Server 2019
Security updates are available for the following specific versions of Exchange:
IMPORTANT: If manually installing security updates, you must install .msp from elevated command prompt (see Known Issues in update KB articles)
- Exchange Server 2010 (update requires SP 3 or any SP 3 RU – this is a Defense in Depth update)
- Exchange Server 2013 (update requires CU 23)
- Exchange Server 2016 (update requires CU 19 or CU 18)
- Exchange Server 2019 (update requires CU 8 or CU 7)
- NEW! Security Updates for older Cumulative Updates of Exchange Server
Because we are aware of active exploits of related vulnerabilities in the wild (limited targeted attacks), our recommendation is to install these updates immediately to protect against these attacks.
The vulnerabilities affect Microsoft Exchange Server. Exchange Online is not affected.
For more information, please see the Microsoft Security Response Center (MSRC) blog.
Mitigations, investigation and remediation:
- 1 Are there any mitigations I can implement right now?
- 2 How can I tell if my servers have already been compromised?
- 3 More information about investigations
- 4 What about remediation?
- 5 Does installing the March Security Updates require my servers to be up to date?
- 6 How can I get an inventory of the update-level status of my on-premises Exchange servers?
- 7 Which of my servers should I update first?
- 8 Will the installation of the Security Updates take as long as installing an RU/CU?
- 9 My organization needs to ‘get current’ first… we need to apply a Cumulative Update. Any tips for us?
- 10 Errors during or after Security Update installation! Help!
- 11 Are there any other resources that you can recommend?
- 12 My organization is in Hybrid with Exchange Online. Do I need to do anything?
- 13 The last Exchange 2016 and Exchange 2019 CU’s were released in December of 2020. Are new CU’s releasing in March 2021?
Are there any mitigations I can implement right now?
Please see the new MSTIC blog post called Microsoft Exchange Server Vulnerabilities Mitigations – March 2021. There is now a scripted version for mitigations, ExchangeMitigations.ps1.
How can I tell if my servers have already been compromised?
Information on Indicators of Compromise (IOCs) – such as what to search for, and how to find evidence of successful exploitation (if it happened), can be found in HAFNIUM Targeting Exchange Servers. There is a scripted version of this available on GitHub here.
Please also check the new CompareExchangeHashes.ps1 script available here (helps with malicious file detection on Exchange servers running 2013, 2016 or 2019 versions).
More information about investigations
To aid defenders in investigating these attacks where Microsoft security products and tooling may not be deployed, we are releasing a feed of observed indicators of compromise (IOCs). The feed of malware hashes and known malicious file paths observed in related attacks is available in both JSON and CSV formats at the below GitHub links. This information is being shared as TLP:WHITE. CSV format and JSON format are available.
What about remediation?
MSTIC team has (on March 6th) updated their blog post Microsoft Exchange Server Vulnerabilities Mitigations – March 2021 to include information about Microsoft Support Emergency Response Tool (MSERT) having been updated to scan Microsoft Exchange Server. Please download a new copy of MSERT often, as updates are made in the tool regularly!
Installing and troubleshooting updates:
Does installing the March Security Updates require my servers to be up to date?
Today we shipped Security Update (SU) fixes. These fixes can be installed only on servers that are running the specific versions listed previously, which are considered up to date. If your servers are running older Exchange Server cumulative or rollup update, we recommend to install a currently supported RU/CU before you install the security updates. If you are unable to get updated quickly, please see March 2021 Exchange Server Security Updates for older Cumulative Updates of Exchange Server.
How can I get an inventory of the update-level status of my on-premises Exchange servers?
You can use the Exchange Server Health Checker script, which can be downloaded from GitHub (use the latest release). Running this script will tell you if you are behind on your on-premises Exchange Server updates (note that the script does not support Exchange Server 2010).
Which of my servers should I update first?
Exploitation of the security vulnerabilities addressed in these fixes requires HTTPS access over the Internet. Therefore, our recommendation is to install the security updates first on Exchange servers exposed/published to the Internet (e.g., servers publishing Outlook on the web/OWA and ECP) and then update the rest of your environment.
Will the installation of the Security Updates take as long as installing an RU/CU?
Installation of Security Updates does not take as long as installing a CU or RU, but you will need to plan for some downtime.
My organization needs to ‘get current’ first… we need to apply a Cumulative Update. Any tips for us?
Please see the Upgrade Exchange to the latest Cumulative Update article for best practices when installing Exchange Cumulative Updates. To ensure the easiest upgrade experience (and because in many organizations Exchange and Active Directory roles are separate) you might wish to run /PrepareAD (in the Active Directory site that Exchange is a member of) before running the actual CU Setup. You can use this document as a guide to understand what you might have to do.
Errors during or after Security Update installation! Help!
It is extremely important to read the Known Issues section in the Security Update KB article (here and here depending on the version). If installing the update manually, you must run the update from the elevated command prompt. If you are seeing unexpected behavior, check the article addressing troubleshooting failed installations of Exchange security updates (we will keep updating this article).
Are there any other resources that you can recommend?
Microsoft Defender Security Research Team has published a related blog post called Defending Exchange servers under attack which can help you understand some general practices around detection of malicious activity on your Exchange servers and help improve your security posture.
My organization is in Hybrid with Exchange Online. Do I need to do anything?
While those security updates do not apply to Exchange Online / Office 365, you need to apply those Security Updates to your on-premises Exchange Server, even if it is used for management purposes only.
The last Exchange 2016 and Exchange 2019 CU’s were released in December of 2020. Are new CU’s releasing in March 2021?
We are still on schedule to release Exchange Server 2016 CU 20 and Exchange Server 2019 CU 9 in March 2021 and those CUs will contain the Security Updates mentioned here (along with other fixes). Our strong recommendation is to install security updates immediately.
Major updates to this post:
- 3/10/2021: Added a note that the MSERT tool should be downloaded often as it gets updated regularly
- 3/9/2021: Added a link to ExchangeMitigations.ps1 mitigation script and CompareExchangeHashes.ps1 file hashes check script.
- 3/8/2021: Added a link about Updates for older Cumulative Updates of Exchange Server and information about a feed of observed indicators of compromise (IOCs).
- 3/8/2021: Added a link to the guide that can help with steps that need to be taken to get current and update
- 3/8/2021: Added a note about elevated CMD prompt installation of .msp files
- 3/7/2021: Reorganized information to make it easier to navigate
- 3/6/2021: Added information about MSERT tool to help with remediation
- 3/6/2021: linked to an article about troubleshooting failed installations of Exchange security updates
- 3/5/2021: linked to the new MSTIC blog post on Vulnerability Mitigations
The Exchange Team