Microsoft Exchange Server security gaps: Current build numbers, overview of all updates and testing
A ADVICE from David Wurm 
on August 24, 2021, 10:00 pm | 2 comments
Microsoft's Exchange Server just can't get away from bad headlines. In addition, you can no longer look through Microsoft's update jungle: Which CU is safe? Do I have all the patches? Has the prepare scheme been completed? In this guide we clarify what the current security updates are and how to easily perform a "vulnerability check" on the Exchange server.
Since March, Microsoft has been releasing security patches for their Exchange servers almost monthly Proproducts, which Vulnerabilities which are not to be underestimated. Admins are urged to keep their Exchange servers up to date. In March the Hafnium gap, Further Patches in April and the new Pwn2Own holes with the patch from May 2021. In addition, there are important security updates from July 2021. You should still have someone look through which patches are now installed. Fortunately, Microsoft is now offering a remedy here.
Jump to section
- 1 Microsoft Exchange Server: Find out the version and security patch of the server
- 2 Microsoft Exchange Server: Current Build Numbers (August 2021)
- 3 Microsoft Exchange Server: The latest security updates
- 4 Exchange Server: Check whether all updates have been installed ("Vulnerability Check")
- 5 Addition: PrintNightmare gap
Microsoft Exchange Server: Find out the version and security patch of the server
Before starting the updates, you should get an overview of which version (CU) is currently being used. There is the already known command for this, which is executed in the Exchange Management Shell:
Get-ExchangeServer | Format-List Name, Edition, AdminDisplayVersion
This provides the current build number in short format (AdminDisplayVersion), which you can use with the Overview at Microsoft can be assigned to a CU. An Exchange Server 2016 with AdminDisplayVersion "Version 15.1 (Build 2242.4)", thus build number "15.1.2242.4", currently has CU 20.
Since this only helps to a limited extent in this case, the current status of the security patch (SU) can also be checked. To do this, copy the following command into the Exchange Management Shell as a whole, press Enter and wait a little:
$ExchangeServers = Get-ExchangeServer | Sort-Object Name
ForEach ($Server in $ExchangeServers) {
Invoke-Command -ComputerName $Server.Name -ScriptBlock { Get-Command Exsetup.exe | ForEach-Object { $_.FileversionInfo } }
}Then we get the "FileVersion" displayed, which gives the build number in long format. In this example, the output "15.01.2242.012" would indicate the following update status, which means that all available updates for CU 20 have been installed:
Picture: TechnikNews
Microsoft Exchange Server: Current Build Numbers (August 2021)
The long build version of the Exchange server shouldn't at least If you have the following numbers, you should quickly start installing the latest security updates.
Important: A current version number does not necessarily mean that all previous security updates have been correctly installed. The latest security update from July 2021 only fixes older gaps up to and including March 2021. The security updates from April and May must be installed separately. To check whether you have really installed all updates - and also correctly - scroll down to "Vulnerability Check".
Exchange 2013
- CU 23: 15.00.1497.023 (July 2021 security update installed)
Exchange 2016
- CU 19: vulnerable, latest security update only available with CU 20
- CU 20: 15.01.2242.012 (July 2021 security update installed)
- CU 21: 15.01.2308.014 (July 2021 security update installed)
Exchange 2019
- CU 9: vulnerable, latest security update only available with CU 10
- CU 10: 15.02.0858.015 (July 2021 security update installed)
- CU 11: 15.02.0922.013 (July 2021 security update installed)
Microsoft Exchange Server: The latest security updates
A short summary of which security updates should definitely be installed for the respective Exchange version. The security updates for Pwn2Own (from May 2021) also patch the hafnium holes from March. Attention: Otherwise, a newer security update from July 2021 does not fill an older gap from previous updates (April, May)!
No updates (especially the very critical ones from March, April and May) installed so far? Congratulations, most likely the server is already a source of spam and the vulnerabilities are already being actively exploited. Cryptotrojans, backdoors and other viruses are aheadprogrammed. In order to save the job as an IT admin, the server should be taken offline immediately, checked for signs of possible intrusions, a clean old backup imported and urgently started to catch up on all updates from April.
Poor kid #ProxyLogon pic.twitter.com/1MlUwBRUAU
- Florian Roth (@ cyb3rops) March 10, 2021
The following applies to all updates: All setups should be executed in open CMD or PowerShell with administrator rights. This is the only way to ensure a smooth update. An update via Windows Update is also possible Proproblems, as some notes must be observed (more on this below).
Exchange 2013
Exchange 2016
- CU 19 (December 2019): KB5001779 (April 2021), KB5003435 (May 2021), KB5004779 (Attention, no update available for this vulnerability in CU 19! -> Update to CU 20 / CU 21 necessary)
- UC 20 (March 2021): KB5001779 (April 2021), KB5003435 (May 2021), KB5004779* (July 2021)
- UC 21 (June 2021): KB5004779* (July 2021)
Exchange 2019
- CU 8 (December 2019): KB5001779 (April 2021), KB5003435 (May 2021), KB5004780 (Attention, no update available for this vulnerability in CU 8! -> Update to CU 9 / CU 10 necessary)
- UC 9 (March 2021): KB5001779 (April 2021), KB5003435 (May 2021), KB5004780* (July 2021)
- UC 10 (June 2021): KB5004780* (July 2021)
Case studies based on Exchange 2016
- 1 example: An Exchange 2016 is used in CU 20. If no security patches have been installed by August 2021, all updates from April, May and July must be installed step-by-step.
- 2 example: An Exchange 2016 is used in CU 20, which will be updated to CU 21 in June. Only the security update from July 2021 needs to be installed, as a CU update contains all security updates prior to their release date. Since CU 21 was released in June, it already contains the security patches from April, May and before.
- 3 example: An Exchange 2016 is used in CU 19. Warning, the server is vulnerable as there is no longer an update available for the latest security vulnerability. An update to CU 21 is strongly recommended (with a detour via CU 20). The July 2021 security update for CU 21 must then be installed.
The same examples are of course equally valid when operating an Exchange 2019. After installing the above updates, a PrepareSchema update must be carried out, see the next section.
Carry out PrepareSchema: Necessary for updates from July 2021 (marked with *)
For updates marked with an asterisk above, further steps are required to close the gap completely. This is a schema update that must be carried out.
What to do with the currently used version ...
Exchange 2013CU23
First install the security update as usual with administrator rights in PowerShell / CMD. Then carry out the schema update from the updated setup files in the CMD / PowerShell with administrator rights:
"C:\Program Files\Microsoft\Exchange Server\V15\Bin\Setup.exe" /PrepareSchema /IAcceptExchangeServerLicenseTerms
Exchange 2016CU20
Carry out a schema update with the files from the CU 21 setup files. So first install the security patch as usual with administrator rights in PowerShell / CMD. Then download the ISO file from CU 21, double-click (in the following attached under F :), then carry out a schema update in the CMD / PowerShell with administrator rights. The setup itself does not have to be started, so no update to CU 21 is required:
"F:\Setup.exe" /PrepareSchema /IAcceptExchangeServerLicenseTerms
Exchange 2016CU21
If a schema update has already taken place with the update to CU 21, no further action is required. Otherwise restart the setup from CU 21 with a schema update:
"C:\Program Files\Microsoft\Exchange Server\V15\Bin\Setup.exe" /PrepareSchema /IAcceptExchangeServerLicenseTerms
Exchange 2019CU9
Carry out a schema update with the files from the CU 10 setup files. So first install the security patch as usual with administrator rights in PowerShell / CMD. Then download the ISO file from CU 10, double-click (in the following attached under F :), then carry out a schema update in the CMD / PowerShell with administrator rights. The setup itself does not have to be started, so no update to CU 10 is required:
"F:\Setup.exe" /PrepareSchema /IAcceptExchangeServerLicenseTerms
Exchange 2019CU10
If a schema update has already taken place with the update to CU 21, no further action is required. Otherwise restart the setup from CU 21 with a schema update:
"C:\Program Files\Microsoft\Exchange Server\V15\Bin\Setup.exe" /PrepareSchema /IAcceptExchangeServerLicenseTerms
Exchange Server: Check whether all updates have been installed ("Vulnerability Check")
Microsoft now offers a HealthChecker, which knows all known security gaps and checks for installed security updates. The current version can here can be downloaded and is not assumed to be "latest v2 release" (for Exchange Server 2010) as - when quickly skimming over it - but the first link directly: Download HealthChecker.ps1.
The source code of the health checker can be found in this GitHub repository can be viewed. After the download, you run the script in the Exchange Management Shell. The parameter for specifying the server is optional, otherwise the script simply checks the local server:
.\HealthChecker.ps1
or
.\HealthChecker.ps1 -Server "EXSRV01"
After the run, some warnings can be issued that can be useful for further performance optimization. Even more important are the warnings about security patches not installed, if any are found. There is another command to output a practical HTML report:
.\HealthChecker.ps1 -BuildHtmlServersReport -HtmlReportFile "EXSRV01check.html"
This can be opened through the generated file (EXSRV01check.html) simply with a double click in the browser and thus viewed even more legibly. Otherwise there is only a .txt log file that lists all checks.
Have all checks been carried out successfully? Congratulations, the server should be safe from all known security holes. Then until the next gap ... oh yes, don't forget: Are all available updates for Windows Server installed via Windows Update?
Addition: PrintNightmare gap
The security holes with the Windows Spooler are one more thing. However, if you do not need printer services on your Exchange server, you should also deactivate the printer service at the same time. To do this, search for “Print Spooler” in the Windows services, double-click on it and set the service to “Deactivated”. Then there shouldn't be any reason to worry here.
However, if you need the printer service, you should import all current security updates via Windows Update. However, this may not mean everything has been done, not all gaps have been completely resolved as of August 2021. More information on this topic is available in a detailed article by MSXFAQ.
Thanks for the great compilation. Only now have I really understood how the PrepareSchema has to be carried out exactly and in which order. Thanks very much!
Lg Thomas
Hello Thomas, thank you for your feedback! It's great that you are now hopefully up to date with your servers! LG, David from TechnikNews