Mitigating Microsoft Exchange Server Vulnerabilities

Updated: Jul 30, 2021

CVE-2021-28481


Microsoft has released security updates for vulnerabilities found in:

  • Exchange Server 2013

  • Exchange Server 2016

  • Exchange Server 2019

These updates are available for the following specific builds of Exchange Server:

  • Exchange Server 2013 CU23

  • Exchange Server 2016 CU19 and CU20

  • Exchange Server 2019 CU8 and CU9

Vulnerabilities addressed in the April 2021 security updates were responsibly reported to Microsoft by a security partner. Although we are not aware of any active exploits in the wild, our recommendation is to install these updates immediately to protect your environment.

These vulnerabilities affect Microsoft Exchange Server. Exchange Online customers are already protected and do not need to take any action.


For additional information, please see the Microsoft Security Response Center (MSRC) blog. More details about specific CVEs can be found in Security Update Guide (filter on Exchange Server under Product Family).


FAQs


My organization is in Hybrid mode with Exchange Online. Do I need to do anything? While Exchange Online customers are already protected, the April 2021 security updates do need to be applied to your on-premises Exchange Server, even if it is used only for management purposes. You do not need to re-run the Hybrid Configuration Wizard (HCW) after applying updates.


Do the April 2021 security updates contain the March 2021 security updates for Exchange Server? Yes, our security updates are cumulative. Customers who installed the March 2021 security updates for supported CUs can install the April 2021 security updates and be protected against the vulnerabilities that were disclosed during both months. If you are installing an update manually, do not double-click on the .msp file, but instead run the install from an elevated CMD prompt.


Is Microsoft planning to release April 2021 security updates for older (unsupported) versions of Exchange CUs? No, we have no plans to release the April 2021 security updates for older or unsupported CUs. In March, we took unprecedented steps and released SUs for unsupported CUs because there were active exploits in the wild. You should update your Exchange Servers to supported CUs and then install the SUs. There are 47 unsupported CUs for the affected versions of Exchange Server, and it is not sustainable to release updates for all of them. We strongly recommend that you keep your environments current.


Can we use March 2021 mitigation scripts (like EOMT) as a temporary solution? The vulnerabilities fixed in the April 2021 updates are different from those we fixed before. Therefore, running March 2021 security tools and scripts will not mitigate the vulnerabilities fixed in April 2021. You should update your servers as soon as possible. Please note that if March EOMT is ran after April updates are installed, it will mistakenly mention that systems are possibly vulnerable (As EOMT is not aware of April updates).


Do I need to install the updates on ‘Exchange Management Tools only’ workstations? Servers or workstations running only Microsoft Exchange Management Tools (no Exchange services) do not need to apply these updates.


Why are there security updates two months in a row? Microsoft regularly releases Exchange Server security updates on ‘patch Tuesday’. We are always looking for ways to make Exchange Server more secure. You should expect us to continue releasing updates for Exchange Server in the future. The best way to be prepared for new updates is to keep your environment current.


Is there no update for Exchange Server 2010? No, Exchange 2010 is not affected by the vulnerabilities fixed in the April 2021 security updates.


Is there a specific order of installation for the April 2021 security updates? We recommend that you update all on-premises Exchange Servers with the April 2021 security updates using your usual update process.


Known Issues

  1. After application of the Exchange Server April security update CMDlets executed against the Exchange Management Console using an invoked runspace might fail with the following error message: The syntax is not supported by this runspace. This can occur if the runspace is in no-language mode. Please see the following article: “The syntax is not supported by this runspace” error after installing April 2021 Exchange security u...

  2. Requesting free/busy information for a user in a different forest in a trusted cross-forest topology might fail with the following Autodiscover error: The remote server returned an error: (400) Bad Request. Please see the following KB article: "(400) Bad Request" error during Autodiscover for per-user free/busy in a trusted cross-forest topol...

  3. Administrator or Service accounts ending in symbol '$' might fail connecting to Exchange Management Shell or ECP. The only workaround at this time is to use accounts without the symbol '$' at the end of the name.

Major updates to this post:

  • 5/4: Edits to Known Issues section

  • 4/16: Added a Known Issues section

  • 4/14: Added info to March EOMT note and behavior after April updates are installed

  • 4/13: Changed download links to the KB article (has additional download information)

  • 4/13: Fixed a typo in the upgrade path graphics (to reflect correct CUs for Exchange Server 2019)

For this our any other cybersecurity concerns please feel to reach out to us at Get Started!

7 views0 comments

Recent Posts

See All

Exploited by REvil Ransomware https://helpdesk.kaseya.com/hc/en-gb/articles/4403440684689 CVEs: CVE-2021-30116 Kaseya's international...

Public 0-day exploit allows domain takeover https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-34527 A remote code execution...

Overview Multiple vulnerabilities have been discovered in F5 products, the most severe of which could allow for remote code execution....