Microsoft closes further security gaps in Exchange Server
On its April 2021 patchday, Microsoft released additional security updates for its popular groupware Exchange Server. Among other things, the security updates close numerous security gaps classified as critical in Exchange Server 2013, Exchange Server 2016 and Exchange Server 2019. We strongly recommend that you have these updates installed by qualified personnel immediately. If you already have extensive experience with the Exchange Server environment, please refer to the step-by-step instructions for the update path below.
Is March repeating itself?
Vulnerabilities in Microsoft Exchange made the headlines back on March 3, 2021. The so-called Hafnium Exchange Server hack exploited a few vulnerabilities, including the one, CVW-2021-26855, known as ProxyLogon. This allowed attackers to gain administrative access rights to servers and execute remote code. Now that, according to estimates by IT security experts, hundreds of thousands of email servers have been infected worldwide, there are suspicions that such a wave of attacks could be repeated.
According to Microsoft, there are currently no indications of an exploit for the additional security gaps discovered in April. Nevertheless, we strongly recommend that you install the latest security updates as soon as possible.
Which systems are affected?
The following systems need patching regardless of whether they are in a pure on-prem or hybrid environment:
- Microsoft Exchange Server 2013
- Microsoft Exchange Server 2016
- Microsoft Exchange Server 2019
Update process
Requirements
The installation of the April 2021 security updates requires certain cumulative updates (CU). These are:
- Exchange Server 2013 CU23
- Exchange Server 2016 CU19 and CU20
- Exchange Server 2019 CU8 and CU9
Step 1: Check the current server status
First, you need to run the Exchange Server Health Checker on your Exchange Server. This script will tell you if any of your Exchange Servers are behind on updates.
Step 2: Install the current CU
If your system is already up to date (s. “Requirements”), you can skip this step and proceed directly to Step 3. If a CU is required, please run the following tool: https://exupdatestepbystep.azurewebsites.net/
Select your Exchange Server version and the CU identified in Step 1 (Current installed CU). Under Required CU, select the CU you want to apply. After clicking on “Tell me the steps”, you will receive detailed instructions on how to install the desired CU on your Exchange Server.
Step 3: Install the April 2021 security updates
Once your Exchange Servers have a current CU version, you can install the April 2021 security updates.
Here is the link to the relevant updates:
- Security update for Exchange Server 2013 CU23
- Security update for Exchange Server 2016 CU19
- Security update for Exchange Server 2016 CU20
- Security update for Exchange Server 2019 CU8
- Security update for Exchange Server 2019 CU9
Restart your Exchange Server.
Watch out for automatic Windows updates
We strongly recommend that you do not rely solely on the above patches being delivered via automatic Windows updates. As with any server, we advise you to watch out for updates at all times: Updates are only loaded/installed automatically if you have configured this option accordingly. Usually, however, it is not desired since most updates require the system to be restarted (like the one mentioned here), or you will need to restart the system manually.
Exchange Online as an alternative
It is becoming increasingly important to take a closer look at the possibilities offered by the cloud. For example, Exchange Online customers are not affected by the March or April update. A server environment centrally hosted and managed by the manufacturer as part of Microsoft 365 (Office 365) significantly reduces the burden on the IT Department. Routine work such as software updates, cumulative updates or security updates are part of the license agreement, not to mention the logical and physical separation between your server environment and the Exchange Online environment, which makes the spread of a possible exploit significantly smaller.
The advantages the cloud offers can be found on our “Move to cloud” landing page. Of course, our colleagues in Sales will also be happy to answer any questions you may have:
t. +49 2861 80847 200
e. vertrieb@netgo.de
We are happy to help!
If you have any technical questions about the update process or need further assistance, please don’t hesitate to contact our Support:
