Collected Links For Hafnium – March 2021 Exchange Security Issue

The below are a series of links, tips and some very brief thoughts on Hafnium.  I will purposefully not include the content of the other locations as it is changing so rapidly, and there is no way to ensure that it would be updated here in a timely fashion.



If you read nothing else, please ensure that you install the update from an elevated CMD prompt if you are manually installing. 

Failing to do this, will not install the update properly and you will be vulnerable. 


Update 8-3-2021 -- Initially the Security Update (SU) was only available for the currently support Exchange Cumulative Updates (CUs).  This has been modified and a SU is available for more CUs.  Please note that this additional SU does not address the lack of support for outdated Exchange builds and it only addresses the aforementioned CVEs.  Your servers will not protected from all know issues until you upgrade to a  supported CU and install the current SU.  These security updates will be released on the Microsoft Download Center only. These updates will not appear on Microsoft Update.

Update 16-3-2021 -- Added link to the One Click Mitigation Tool

Update 16-3-2021 -- Added new MSRC post

Update 19-3-2021 -- Added reference to new Defender capability


Exchange 2010 supported ended on the 14th of October 2020.  An update is provided for Exchange 2010 as a defense in depth mechanism as it is vulnerable in a mixed environment.  Exchange 2010 should be decommissioned ASAP.

Exchange 2003 and Exchange 2007 are also unsupported, and should not be present in a production environment.


List of CVEs

The below are the CVEs which are being targeted against Exchange for reference.

CVE-2021-26855 | Microsoft Exchange Server Remote Code Execution Vulnerability

CVE-2021-26857 | Microsoft Exchange Server Remote Code Execution Vulnerability

CVE-2021-26858 | Microsoft Exchange Server Remote Code Execution Vulnerability

CVE-2021-27065 | Microsoft Exchange Server Remote Code Execution Vulnerability




Microsoft Links

Security update for Exchange Server 2019, 2016, and 2013 (KB5000871)

Security update for Exchange Server 2010 Service Pack 3 (KB5000978)

Microsoft CSS PowerShell Scripts for mitigation and detection

Exchange Team Blog

Exchange Team Blog – Security Updates Now Available For Additional Cumulative Updates

https://aka.ms/exupdatefaq  - which is this page here

https://aka.ms/ExHelper   - which is this link.  This is my senior Canadian colleagues who put this together to illustrate the upgrade paths.



MSRC Blog - March 6th Update

MSRC Blog - March 8th Update 

MSRC Blog - March 16th Update

Microsoft On the Issues Blog

New MSTIC blog post called Microsoft Exchange Server Vulnerabilities Mitigations – March 2021.

MSTIC team has (on March 6th) updated their blog post Microsoft Exchange Server Vulnerabilities Mitigations – March 2021 to include information about Microsoft Support Emergency Response Tool (MSERT) having been updated to scan Microsoft Exchange Server

Microsoft Safety Scanner - updated for DearCry.  Do NOT re-use previous downloads, always download the tool for each execution.

Microsoft Defender - Now has automatic remediation With the latest security intelligence update, Microsoft Defender Antivirus and System Center Endpoint Protection will automatically mitigate CVE-2021-26855 on any vulnerable Exchange Server on which it is deployed. Customers do not need to take action beyond ensuring they have installed the latest security intelligence update (build 1.333.747.0 or newer), if they do not already have automatic updates turned on.

One Click Mitigation Tool - Read the MSRC post here.  Though it is a script, so not much clicking...



Additional Microsoft Links

The below are some additional reading links for generic and previous issues with Exchange.

Security Update Guide

Microsoft Defender Security Research Team - Defending Exchange servers under attack

Protecting Microsoft 365 from on-premises attacks



Additional Blog Links

Operation Exchange Marauder: Active Exploitation of Multiple Zero-Day Microsoft Exchange Vulnerabilities

Exchange .NET support requirements

Checking .NET version using registry

Expediting .NET Framework installation

Example where .NET Framework requirement change

Exchange 2016 RecoverServer - If a server has to be rebuilt, but this is not the first go to action in the case of an incident

CISA.gov  - US website for additional coverage

collecting forensic data - Discusses aspects of forensic data collection.  Please follow the guidance for your IR team





Rhoderick Milne [MSFT]

Leave a Reply

Your email address will not be published. Required fields are marked *