Patching Exchange Server 2019 and 2016: October 2022 (KB5019077) – Elevation of Privilege Vulnerabilities

Posted on by Leave a comment

Microsoft Exchange Server team has released a security update for On-Premises Exchange Servers. The October 2022, security updates are available for the following affected versions:

  • Exchange Server 2013 CU23
  • Exchange Server 2016 CU22 and CU23
  • Exchange Server 2019 CU11 and CU12

I decided to create this blog post to summarize a bit on what this new security update would solve and what the CVEs are. I will also explain how we can check whether our Exchange server is affected or not and will walk you through the process of patching these servers.

Exchange servers are critical servers that are often targeted by attackers. Microsoft recommends installing this security patch immediately, which is why I decided to create a blog post of this. It should not surprise you if one of these CVE will be exploited in the wild, so please start patching your Exchange servers. By the time of writing this blog post, the CVEs that are being mentioned weren’t public (yet). Keep in mind that this can change rapidly.

KB5019077 will solve the following:

  • CVE-2022-21979 – Microsoft Exchange Information Disclosure Vulnerability

This vulnerability requires that a user with an affected version of Exchange Server access a malicious server. An attacker would have to host a specially crafted server share or website. An attacker would have no way to force users to visit this specially crafted server share or website but would have to convince them to visit the server share or website, typically by way of an enticement in an email or chat message. Successful exploitation of this vulnerability requires an attacker to have internal knowledge of the target Exchange account including the security identifier (SID) for the account to use for impersonation or delegate access.

Impact: An attacker who can successfully exploit this vulnerability could read targeted email messages. Yes, the attacker needs to be authenticated

  • CVE-2022-21980 – Microsoft Exchange Server Elevation of Privilege Vulnerability

This vulnerability requires that a user with an affected version of Exchange Server access a malicious server. An attacker would have to host a specially crafted server share or website. An attacker would have no way to force users to visit this specially crafted server share or website but would have to convince them to visit the server share or website, typically by way of an enticement in an email or chat message.

  • CVE-2022-24477 – Microsoft Exchange Server Elevation of Privilege Vulnerability

This vulnerability requires that a user with an affected version of Exchange Server access a malicious server. An attacker would have to host a specially crafted server share or website. An attacker would have no way to force users to visit this specially crafted server share or website but would have to convince them to visit the server share or website, typically by way of an enticement in an email or chat message.

Impact: The attacker would be able to take over the mailboxes of all Exchange users, attackers can send emails, read emails, download attachments. Yes, the attacker needs to be authenticated.

  • CVE-2022-24516 – Microsoft Exchange Server Elevation of Privilege Vulnerability

This vulnerability requires that a user with an affected version of Exchange Server access a malicious server. An attacker would have to host a specially crafted server share or website. An attacker would have no way to force users to visit this specially crafted server share or website but would have to convince them to visit the server share or website, typically by way of an enticement in an email or chat message.

  • CVE-2022-30134 – Microsoft Exchange Server Elevation of Privilege Vulnerability

Any authenticated user could trigger this vulnerability. It does not require admin or other elevated privileges.

Impact: An attacker who successfully exploited the vulnerability could read targeted email messages.

  • CVE-2022-34692 – Microsoft Exchange Information Disclosure Vulnerability

An attacker who successfully exploited the vulnerability could read targeted email messages.

I’m running On-Premises Exchange servers. How do I know if I’m affected?

The first thing is to download the HealthChecker PowerShell script. In order to successfully run this script, we need to have the following permissions:

  • Organization Management
  • Local Administrator on all the Exchange servers

If you don’t know who your Exchange servers are. Open PowerShell and run the following command:

Add-PSSnapin Microsoft.Exchange.Management.PowerShell.SnapIn
Get-ExchangeServer | select name | fl

At this example we can see that there are two Exchange servers in total.

Open notepad and paste the Exchange servers in there.

Now we are going to run the HealthChecker script to gather the Exchange CU level of these two Exchange servers. This will also include information about other stuff, which you can work on later. Examples may include some outdated software, expired certificate, critical (Exchange) service that is not running, and so on.

$servers=Get-Content C:\Users\Testing.CONTOSO\Desktop\ExchangeServers.txt

ForEach ($servers in $servers)

{

.\HealthChecker.ps1 -Server $servers


}

At the sample output, we will be able to retrieve the Exchange information of our servers. Which includes the CU version.

  • Exchange 2016 CU23
  • Exchange 2019 CU12

As discussed at the top of this blog post. Both of these versions are affected by those CVEs. This means that we have to start patching our Exchange servers.

Patching Exchange servers by installing KB5019077

At the previous screenshots. We can see that there is an Exchange Server 2016 CU23 and Exchange Server 2019 CU12.

First, we are going to install this patch on our Exchange 2016 CU23 machine. If you have an EDR or AV in place. It is recommended to turn it on passive mode for the machine that we’re going to apply this patch.

For Exchange 2016 CU23. I will be demonstrating how it looks like when user interaction is required. Run Exchange2016-KB5019077-x64-en as an Administrator.

At the first step it will calculate whether there is enough space.

If everything looks fine, we are able to press ‘Next’

Here we can see that the patch has been installed.

The server now will be rebooted to apply the patch.

To verify whether this specific patch has been applied successfully. Open PowerShell and run the following command:

Get-ItemProperty HKLM:\Software\Microsoft\Windows\CurrentVersion\Uninstall\* | Where-Object {$_.DisplayName -like "*Microsoft Exchange Server 2016 Cumulative Update*"} | Select-Object DisplayName, DisplayVersion, InstallDate | Format-List

We are now going to patch our Exchange Server 2019 CU12 machine. At this example, we will be using the command-line and specify the /silent mode. This won’t require any user interaction whereby the user has to press ‘next’ all the time.

Open PowerShell as an admin and run the following command:

.\Exchange2019-KB5019077-x64-en.exe /silent

Once everything has been completed. It will tell us in the console as well that the patch has been applied successfully. The server will be rebooted to apply the security patch.

Open PowerShell and run the following command to verify whether the patch has been installed:

Get-ItemProperty HKLM:\Software\Microsoft\Windows\CurrentVersion\Uninstall\* | Where-Object {$_.DisplayName -like "*Microsoft Exchange Server 2019 Cumulative Update*"} | Select-Object DisplayName, DisplayVersion, InstallDate | Format-List

Based on the version number, we can see that the patch has been installed.

Reference

Leave a Reply

Fill in your details below or click an icon to log in:

Gravatar
WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Cancel

Connecting to %s