The below are a series of links, tips and some very brief thoughts on Hafnium. I will purposefully not include the content of the other locations as it is changing so rapidly, and there is no way to ensure that it would be updated here in a timely fashion.
If you read nothing else, please ensure that you install the update from an elevated CMD prompt if you are manually installing.
Failing to do this, will not install the update properly and you will be vulnerable.
Update 8-3-2021 -- Initially the Security Update (SU) was only available for the currently support Exchange Cumulative Updates (CUs). This has been modified and a SU is available for more CUs. Please note that this additional SU does not address the lack of support for outdated Exchange builds and it only addresses the aforementioned CVEs. Your servers will not protected from all know issues until you upgrade to a supported CU and install the current SU. These security updates will be released on the Microsoft Download Center only. These updates will not appear on Microsoft Update.
Update 16-3-2021 -- Added link to the One Click Mitigation Tool
Update 16-3-2021 -- Added new MSRC post
Update 19-3-2021 -- Added reference to new Defender capability
Exchange 2010 supported ended on the 14th of October 2020. An update is provided for Exchange 2010 as a defense in depth mechanism as it is vulnerable in a mixed environment. Exchange 2010 should be decommissioned ASAP.
Exchange 2003 and Exchange 2007 are also unsupported, and should not be present in a production environment.
List of CVEs
The below are the CVEs which are being targeted against Exchange for reference.
CVE-2021-26855 | Microsoft Exchange Server Remote Code Execution Vulnerability
CVE-2021-26857 | Microsoft Exchange Server Remote Code Execution Vulnerability
CVE-2021-26858 | Microsoft Exchange Server Remote Code Execution Vulnerability
CVE-2021-27065 | Microsoft Exchange Server Remote Code Execution Vulnerability
Microsoft Links
Security update for Exchange Server 2019, 2016, and 2013 (KB5000871)
Security update for Exchange Server 2010 Service Pack 3 (KB5000978)
Microsoft CSS PowerShell Scripts for mitigation and detection
Exchange Team Blog – Security Updates Now Available For Additional Cumulative Updates
https://aka.ms/exupdatefaq - which is this page here
https://aka.ms/ExHelper - which is this link. This is my senior Canadian colleagues who put this together to illustrate the upgrade paths.
New MSTIC blog post called Microsoft Exchange Server Vulnerabilities Mitigations – March 2021.
MSTIC team has (on March 6th) updated their blog post Microsoft Exchange Server Vulnerabilities Mitigations – March 2021 to include information about Microsoft Support Emergency Response Tool (MSERT) having been updated to scan Microsoft Exchange Server
Microsoft Safety Scanner - updated for DearCry. Do NOT re-use previous downloads, always download the tool for each execution.
Microsoft Defender - Now has automatic remediation With the latest security intelligence update, Microsoft Defender Antivirus and System Center Endpoint Protection will automatically mitigate CVE-2021-26855 on any vulnerable Exchange Server on which it is deployed. Customers do not need to take action beyond ensuring they have installed the latest security intelligence update (build 1.333.747.0 or newer), if they do not already have automatic updates turned on.
One Click Mitigation Tool - Read the MSRC post here. Though it is a script, so not much clicking...
Additional Microsoft Links
The below are some additional reading links for generic and previous issues with Exchange.
Microsoft Defender Security Research Team - Defending Exchange servers under attack
Protecting Microsoft 365 from on-premises attacks
Additional Blog Links
Exchange .NET support requirements
Checking .NET version using registry
Expediting .NET Framework installation
Example where .NET Framework requirement change
Exchange 2016 RecoverServer - If a server has to be rebuilt, but this is not the first go to action in the case of an incident
CISA.gov - US website for additional coverage
collecting forensic data - Discusses aspects of forensic data collection. Please follow the guidance for your IR team
Cheers,
Rhoderick
