Security Updates Released (Out-of-Band) for Critical Exchange Server Vulnerabilities
This post is to alert you to Microsoft’s release of patches for multiple different on-premises Microsoft Exchange Server zero-day vulnerabilities that are being exploited by a nation-state affiliated group.
The vulnerabilities exist in on-premises Exchange Servers 2010, 2013, 2016, and 2019. Exchange Online is not affected. We wanted to ensure you were aware of the situation and would ask that you help drive immediate remediation steps.
Specifically, to minimize or avoid impacts of this situation, Microsoft highly recommends that you take immediate action to apply the patches for any on-premises Exchange deployments you have or are managing for a customer or advise your customer of the steps they need to take. The first priority being servers which are accessible from the Internet (e.g., servers publishing Outlook on the web/OWA and ECP).
To patch these vulnerabilities, you should move to the latest Exchange Cumulative Updates and then install the relevant security updates on each Exchange Server.
We are committed to working with you through this issue. If you have any questions, please reach out under this post or to your Microsoft contact directly.
Resources and information about this issue for partners
Exchange patch information
· CVE-2021-26855 | Microsoft Exchange Server Remote Code Execution Vulnerability (public)
· CVE-2021-26857 | Microsoft Exchange Server Remote Code Execution Vulnerability (public)
· CVE-2021-26858 | Microsoft Exchange Server Remote Code Execution Vulnerability (public)
· CVE-2021-27065 | Microsoft Exchange Server Remote Code Execution Vulnerability (public)
Following up on our previous note about Microsoft Exchange Server on-prem, we have continued to simplify our approach. We wanted to recap our guidance and make sure you and your teams have access to the latest resources:
- If you have not yet applied the security updates to your on-premises Exchange servers, we would urge you to take action:
- We recommend you leverage the Microsoft Exchange On-Premises Mitigation Tool (EOMT), which Microsoft released on GitHub. This is a free one-click tool that you can use to temporarily protect servers you have not yet been able to patch. You can find instruction for this tool on our MSRC blog. When EOMT runs, it will also download and run the latest version of Microsoft Safety Scanner to determine if any exploitation has already occurred.
- Apply the relevant security patches as soon as possible per our previously shared patching guidance. You are not fully protected from the disclosed vulnerabilities until you apply the latest security updates to your on-premises servers.
- For continuous monitoring, detection and remediation capabilities we have made Microsoft Defender for Endpoint (MDE) available to customers for 90-days*. DE will block all known threats associated with the Exchange vulnerabilities as well as provide continuous detection and hunting capabilities beyond what EOMT can offer. As a next step, please follow the steps for setting up Microsoft Defender for Endpoint and onboarding your Exchange Server.
- If you have already patched your Exchange Servers:
- You are protected from any future exploitation of the Exchange vulnerabilities once patched. To determine if any exploitation occurred prior to patching, we recommend you download and run the Microsoft Safety Scanner on all your on-prem Exchange servers. This is a free one-click tool and is updated several times a day with the latest signatures for known threats associated with the Exchange vulnerabilities.
- For continuous monitoring, detection and remediation capabilities we have made Microsoft Defender for Endpoint (MDE) available to customers for 90-days*. MDE will block all known threats associated with the Exchange vulnerabilities as well as provide continuous detection and hunting capabilities beyond what Microsoft Safety Scanner can offer. As a next step, please follow the steps for setting up Microsoft Defender for Endpoint and onboarding your Exchange Server.
We are here to help you should you have any questions about your security posture!
Microsoft has shared additional guidance and product updates to help you and your customers following last week’s March 2021 Exchange Server Security Updates.
Consolidated Guidance. The below guidance consolidates information from multiple Microsoft blogs and communications to explain the situation and help clarify the steps required to respond:
- An updated MSRC blog post Multiple Security Updates Released for Exchange Server – updated March 8, 2021 to provide a comprehensive overview of the security updates for Exchange Server and recommended steps to patch and remediate.
- Step-by-step instructions on patching and remediation, detailed by version of Exchange Server.
Security updates for older Cumulative Updates of Exchange Server. To help partners and customers who have not yet upgraded their Exchange Servers to current Cumulative Update (CUs), Microsoft is producing additional security updates which can be applied to a set of older (and unsupported) CUs.
This is intended only as a temporary measure to help immediately protect vulnerable machines. You still need to update and have your customers update to the latest supported CU and then apply the applicable Security Updates (SUs). If you or your customers are already mid-update to a later CU, continue with that update.
To learn more about these updates, and important considerations for applying them, please review the Exchange blog post March 2021 Exchange Server Security Updates for older Cumulative Updates of Exchange Server and KB5000871.
We are committed to continuing to partner with you as we work through this issue. Microsoft Customer Success Account Manager and Technical Support Teams will continue to work with your technical teams to assist in addressing this issue.
Information to assist you and your teams:
CSS Support: https://support.microsoft.com/