Last month Microsoft released cumulative updates for Exchange 2016 and Exchange 2019. Once you get the September cumulative updates, be sure to grab the security updates released in October.
While Exchange 2013 did not have a cumulative update, it did receive a security update, which can be applied to Exchange 2013 Cumulative Update 23.
A security update was not released for Exchange 2010. The latest update for Exchange 2010 is still Rollup 32 (March 2nd, 2021). Keep in mind that Exchange 2010 was out of support as of October 13th, 2020.
If you need guidance on migrating from a specific CU to the latest, check out Microsoft’s Exchange Update Wizard for step-by-step instructions.
The updates are as follows:
The new Microsoft Exchange Emergency Mitigation Service
As a response to the HAFNIUM exploits the Exchange team developed a new Exchange Emergency Mitigation service to be included with Exchange Server. Emergency Mitigation is a new Windows service that is deployed by the Exchange Server setup utility.
It is effectively a built-in version of the previously released standalone Emergency Online Mitigation Tool (EOMT) that administrators could run on-demand. The standalone tool was a way for administrators to apply interim remediation until they could apply the needed patches.
In much the same way the Emergency Mitigation Service checks the Office Config Service (OCS) for new mitigation XMLs every hour. It then applies the interim remediation specified in the XML file. The mitigation service can apply the following three actions.
- Block malicious patterns in HTTP requests via the IIS URL rewrite service
- Disable vulnerable Exchange services
- Disable vulnerable App Pools in IIS
Should you accidentally undo any mitigations, restart the Emergency Mitigation Service on the Exchange Server. Within 10 minutes the service will check OCS for the latest XML and reapply any mitigations.
At the time of writing, only a test XML file exists at the Office Config Service for heartbeat purposes. That said, your Exchange Server now requires an outbound connection to https://officeclient.microsoft.com to access these mitigation XML files. To verify Exchange can reach the Office Config Service, you can leverage the Test-MitigationServiceConnectivity.ps1 script located in the Exchange scripts folder.
Once you apply a cumulative or security update that addresses the vulnerability, you will need to manually undo any actions taken by the Emergency Mitigation Service.[Read more…] about Exchange September Cumulative Updates and the new Emergency Mitigation Service