03.03.2021 Exchange 2010, 2013, 2013, 2016, 2019 Patch KB5000871 how to Update correct with Links

HAFNIUM targeting Exchange Servers with 0-day exploits

Important Exchange Update 03.03.2021 for all Microsoft Exchange Versions

Affected Exchange Version: 2010, 2013, 2013, 2016, 2019

     

12.03.2021

We have seen so many installations fail on certain blogs and forums. Please make sure understand the update process of patching a special Server like Exchange or SQL-Server. You never patch such system core server application without prior reading a few things.

There is absolute no business justification for an outage in the E-Mail system because someone wanted to patch a leak within a few minutes. Microsoft does its best to put some logic in the patch files. However they are just windows MSP files and the main logic for that is in the Windows installer Module which is on every server or client from MS.

   

10.03.2021

MS has to build/redo/re-tune their Exchange Repair TechNet/MSDN stuff due the high outage of Exchange on premise. Mostly related to non Exchange Groupware Engineer patching complex Exchange Servers in the emergency.

Repair failed installations of Exchange Cumulative and Security updates - Exchange | Microsoft Docs

https://docs.microsoft.com/en-us/exchange/troubleshoot/client-connectivity/exchange-security-update-issues

 

 

REMINDER: Install any Exchange ROLLUP/ROLLUP with elevated Administrator rights!

  1. Select Start, and then type cmd.
  2. Right-click Command Prompt from the search results, and then select Run as administrator.
  3. If the User Account Control window appears, select the option to open an elevated Command Prompt window, and then select Continue. If the UAC window doesn't appear, continue to the next step.
  4. Type the full path of the .msp file for the security update, and then press Enter.
  5. After the update installs, restart the server.

 

     

REMINDER: Make sure you have SCHEMA ADMIN rights for certain updates (Do not update with least privilege account like admin.butsch or 1stlevelsupportuser1 and if you do pre-heck it has all rights it needs

REMINDER: Most of the modern ROLLUP for Exchange does a) Saves the config to many XML files b) does a complete uninstall of the full EXCHANGE d) Re-installs the full exchange with the settings from XML File (Do no interrupt, Wait until it's done!) If you fail you will see Service deactivated and Exchange missing!

     

in larger Enterprise and PROXY environments

 Always make sure that you:

 *That the Exchange Server computer has access too all CRT Cert Revocation List address and also Network protocol related to CERTIFICATES (The computer when locked down MUST have access to WAN for these files)

* You DISABLE Cert revocation in Internet Explorer 10/11 or EDGE on the Server (The computer account uses those settings for PROXY or CERT Revocation settings.

* DO disable Temporary cmd.exe > iexplore.exe > Advanced "Check for Server Certi*" < uncheck both and restart Exchange Setup for the ROLLUP/CU

CHECK: https://www.butsch.ch/post/The-certificate-is-invalid-for-exchange-server-usage-Exchange-2010-SANUC.aspx 

CHECK: http://www.computerladen.ch/post/Exchange-2010-SP3-RU282930-ended-prematurely-(Management-Framework-30-on-Server).aspx

   

Check CERT revocation from Exchange to WAN: If it's not open HIT the Security Engineer in your company who closed internet access for Server and did not understand Cert Revocation. Never lock down Servers if you don't understand what they do fully.

     

     

 Microsoft explained with a graph now also since 25% did not understand at first glance. Including everyone I know.

 https://techcommunity.microsoft.com/t5/exchange-team-blog/march-2021-exchange-server-security-updates-for-older-cumulative/ba-p/2192020

 

      

Tech Links from 09.03.2011:

https://www.reddit.com/r/sysadmin/comments/m0d98h/exchange_nuked_and_reinstalled_what_can_i_and/

https://blueteamblog.com/microsoft-exchange-zero-days-mitigations-and-detections

https://www.volexity.com/blog/2021/03/02/active-exploitation-of-microsoft-exchange-zero-day-vulnerabilities/

      

News coverage done wrong:

Looks like the mainstream security magazines got something wrong here ;-) The patch was releases almost same time as the one from 2013/2016/2019. 2010 was supported and patched last week with a one shot patch already .

CVE we talk about:

CVE-2021-26854

Microsoft Exchange Server Remote Code Execution Vulnerability This CVE ID is unique from CVE-2021-26412, CVE-2021-26855, CVE-2021-26857, CVE-2021-26858, CVE-2021-27065, CVE-2021-27078.

 CVE-2021-26855

Iis a server-side request forgery (SSRF) vulnerability in Exchange which allowed the attacker to send arbitrary HTTP requests and authenticate as the Exchange server.

CVE-2021-26857

Is an insecure deserialization vulnerability in the Unified Messaging service. Insecure deserialization is where untrusted user-controllable data is deserialized by a program. Exploiting this vulnerability gave HAFNIUM the ability to run code as SYSTEM on the Exchange server. This requires administrator permission or another vulnerability to exploit.

CVE-2021-26858

Is a post-authentication arbitrary file write vulnerability in Exchange. If HAFNIUM could authenticate with the Exchange server then they could use this vulnerability to write a file to any path on the server. They could authenticate by exploiting the CVE-2021-26855 SSRF vulnerability or by compromising a legitimate admin's credentials.

CVE-2021-27065

Is a post-authentication arbitrary file write vulnerability in Exchange. If HAFNIUM could authenticate with the Exchange server then they could use this vulnerability to write a file to any path on the server. They could authenticate by exploiting the CVE-2021-26855 SSRF vulnerability or by compromising a legitimate admin's credentials.

      

Here is what we talk about:

https://nvd.nist.gov/vuln/detail/CVE-2021-26854

https://www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers/

https://www.swissinfo.ch/ger/alle-news-in-kuerze/microsoft-schliesst-sicherheitsluecken-bei-exchange-software/46415548

https://www.forbes.com/sites/daveywinder/2021/03/03/microsoft-issues-critical-update-warning-as-chinese-hackers-attack-exchange-servers/?sh=5c92a6f17912

     

Microsoft Made it a little bit complicated today. Here is maybe some help. They adapted their Blogs and documents during the day. First answer to the early links where asking where the patches are they mentioned.

So hopefully this information will help you to get your Exchange on premise safe soon.

 https://support.microsoft.com/en-us/topic/description-of-the-security-update-for-microsoft-exchange-server-2019-2016-and-2013-march-2-2021-kb5000871-9800a6bb-0a21-4ee7-b9da-fa85b3e1d23b

Description of the security update for Microsoft Exchange Server 2019, 2016, and 2013: March 2, 2021 (KB5000871)

     

To see what version you have use this Powershell commands:

Get-ExchangeServer | Format-List Name,Edition,AdminDisplayVersion

Invoke-Command -ScriptBlock {Get-Command Exsetup.exe | ForEach-Object {$_.FileversionInfo}}

Exchange Version overview:

Exchange Server – Buildnummern und Veröffentlichungstermine | Microsoft Docs

https://docs.microsoft.com/de-de/Exchange/new-features/build-numbers-and-release-dates?view=exchserver-2019

You then see following infos:

ProductVersion FileVersion FileName

14.03.0513.000 14.03.0513.000 D:\Program Files\Microsoft\Exchange Server\V14\bin\ExSetup.exe

This changed AFTER the patch KB5000871 which makes certain Exchange version safe. See the15.1.2106.13. That is the Exchange 2016 CU 18 we patched with the KB5000871.

Screenshot: Sample shows a customer having Exchange 2016 RU 18 (Not already on 19 [Not needed to be safe]) 15.01.2106.002 and we made him safe with the Patch .13. (Lower Line)

IMPORTANT and CONFUSING:

You have to be on a certain Patch level (Not the latest) before you can apply the Hot fix which makes you safe.

  • On 2016 and the 2019 the last two regular versions
  • On 2010 and 2013 the last version which was released

     

These versions you can patch with the Hotfix/Security Update for Exchange Server KB5000871

      

Exchange 2019 you minimum need 2019 CU7 (If you are not on CU7 first update to min CU7).

You don't have to update to CU8 to be safe! Just install the KB5000871 for your correct version.

     

Exchange Server 2019 CU8    December 15, 2020    15.2.792.3        15.02.0792.003

https://www.microsoft.com/en-us/download/details.aspx?id=102770 (KB5000871 Download link)

     

Exchange Server 2019 CU7    September 15, 2020    15.2.721.2        15.02.0721.002

https://www.microsoft.com/en-us/download/details.aspx?id=102771 (KB5000871 Download link)

     

If your are not CU7 or CU8 then install one of those first and then the KB5000871 afterwards to be safe.

Check if you need Enterprise Admin/Schema Admin to install CU7 and CU8 (Don't install with delegated Admin accounts!)

Reminder: Most of the modern ROLLUP for Exchange does a) Saves the config to many XML files b) does a complete uninstall of the full EXCHANGE d) Re-installs the full exchange with the settings from XML File (Do no interrupt, Wait until it's done!) If you fail you will see Service deactivated and Exchange missing!

     

     

Exchange 2016 you Minimum need 2016 CU18 (If you are not on CU18 first update to min CU18).

You don't have to update to CU19 to be safe! Just install the KB5000871 for your correct version.

     

     

Exchange Server 2016 CU19 15. Dezember 2020 15.1.2176.2     15.01.2176.002

https://www.microsoft.com/en-us/download/details.aspx?id=102772 (KB5000871 Download link)

     

Exchange Server 2016 CU18 15. September 2020 15.1.2106.2     15.01.2106.002

https://www.microsoft.com/en-us/download/details.aspx?id=102773 (KB5000871 Download link)

     

If your are not CU18 or CU19 then install one of those first and then the KB5000871 afterwards to be safe.

Both CU19 may make Active Directory Schema Updates so need be Domain Admin and Enterprise/Schema Admin! The patch can be installed with regular permission.

Reminder: Most of the modern ROLLUP for Exchange does a) Saves the config to many XML files b) does a complete uninstall of the full EXCHANGE d) Re-installs the full exchange with the settings from XML File (Do no interrupt, Wait until it's done!) If you fail you will see Service deactivated and Exchange missing!

     

     

     

Exchange 2013 There is only one hot fix for the Patch which came out a year ago.

     

Exchange Server 2013 CU23    June 18, 2019        15.0.1497.2        15.00.1497.002

https://www.microsoft.com/en-us/download/details.aspx?id=102775 (KB5000871 Download link)

     

If you are not on 23 install the CU23 first and then the KB5000871 afterwards to be safe.

Reminder: Most of the modern ROLLUP for Exchange does a) Saves the config to many XML files b) does a complete uninstall of the d) Re-installs the full exchange with the settings from XML File (Do no interrupt, Wait until it's done!)

     

      

Exchange 2010 There is new Rollup 32 free to all customers. Install the RU32 and you are good. That came out today and includes all you need.

 Exchange Server 2010 SP3 Rollup 32 (Release today 03.03.2021 you can install without ESU)

https://support.microsoft.com/en-us/topic/description-of-the-security-update-for-microsoft-exchange-server-2010-service-pack-3-march-2-2021-kb5000978-894f27bf-281e-44f8-b9ba-dad705534459

 https://www.microsoft.com/en-us/download/details.aspx?id=102774 (KB5000871 Download link)

     

     

Install the MSP patch and the CU/ROLLUP the right way so you see more info.

* Check Execution Policy Powrshell angepasst? get-executionpolicy –list

* Check UAC OFF

* Run it elevated or it will not work

* Stop Schedule things like Backup, Snapshot from Netapp, Veeam Tasks maybe Antivirus Solution

* Make a link to cmd.exe on your Desktop and run that Elevated

* From that cmd.exe navigate to the Patch and run as example Exchange2016-KB5000871-x64-de.msp /lvx C:\KB5000871_InstallationLogFile.log

     

     

Or with a batch. Same thing it's important that you install the Patch only elevated with run as Administrator.

:: ExchangeServer2016-x64-CU18_HOTFIX

:: V1.0, 03.03.2021, M. Butsch, First Release

:: -----------------------------------------------------------------------------------------------------------------------

cls

@echo off

echo ACHTUNG auf GPO's fuer Powershell oder UAC ACHTUNG

echo -----------------------------------------------------------------------

echo - Execution Policy Powrshell angepasst? get-executionpolicy -list

echo - revoke Cert IE angepasst?

echo - UAC abgestellt

echo -----------------------------------------------------------------------

pause

C:\edv\ExchangeServer2016-x64-CU18_HOTFIX\Exchange2016-KB5000871-x64-de.msp /lvx C:\edv\ExchangeServer2016-x64-CU18_HOTFIX\KB5000871_InstallationLogFile.log

pause

   

Exchange 2016, Outlook 2016, Connection Status ERROR* Fehler*

Problem: Exchange 2016, Outlook 2016, Connection Status ERROR* Fehler*

Solution: Install Outlook 2016 Patch KB3115101

 

 

Leider läuft man in die Falle immer wieder rein. Man sucht an allen Enden und Cipher oder Kerberos rum und am Schluss ist es ein simpler MS KB patch. Wohl im OnPremise WSUS integriert aber aus Zeitgründen auf Test Clients nicht installiert ;-)

 

Loesung: Outlook 2016 KB3115101

 

https://www.microsoft.com/de-DE/download/details.aspx?id=52017

 

 

"Suppose that Outlook 2016 is on an Exchange server on an intranet with MAPI over HTTP transport protocol. If you use the Connection Status dialog box, the Authn Error * column shows * but no login*."

 

 

Fehler:

 

 

 

Obwohl dies geht und bei Authentication "Negotiate/Aushandeln" steht:

 

Exchange 2016 settings together with 2010 co. exist:

Nach der Installation des Patches sieht es dann so aus:

 

Error: “Exchange OWA HTTP500 Internal Server Error” after OWA Logon

 

Error: "Exchange OWA HTTP500 Internal Server Error" after OWA logon

You see the Logon Screen from Exchange OWA. You Logon with valid Credentials. After Logon you receive a Website error:

Solution/Reason/Source: Service "Microsoft Exchange Forms-Based-Authentication Service is not started or crashed.

 

This was hard to find since behind a KEMP and during a 2010-2016 Migration. But indeed very simple. The Service "Microsoft Exchange Forms-Based-Authentication Service" was not started on one CAS behind the KEMP Load Balancer. Depending on the complexity of your KEMP checks the NLB fails over to the other CAS or not.

When you search for Routes, Cipher and everything you seem to forget simple things like services.

We found a lot of blogs which mentioned that this was solved and related to the fact the VM running the CAS having too low RAM memory. Either check all Services after Reboot with Scripts or give more RAM. ;-)

 

 

If this does not solve it please also see:

Exchange 2013 Troubleshooting: Error 500 when login ECP and OWA - TechNet Articles - United States (English) - TechNet Wiki (microsoft.com)

https://social.technet.microsoft.com/wiki/contents/articles/34020.exchange-2013-troubleshooting-error-500-when-login-ecp-and-owa.aspx

Recycle APP Pool in IIS

OR

  1. Go to the RUN window and type "ADSIEDIT.msc"
  2. After opening ADSIEDIT, go to the Action navigation. Connect to and then navigate to
    1. "Select a Well known Naming Context"
  3. Select Configuration and select OK.
  4. Go to CN=Configuration then CN=Services then CN=Microsoft Exchange then CN=Your DOMAIN Name and navigate to CN-Client Access
  5. Right-click CN=Client Accessand click Properties. Scroll down to look for values:
    1. msExchCanaryData0
    2. msExchCanaryData1
    3. msExchCanaryData2
    4. msExchCanaryData3
  6. Take a backup to be safe and clear all these values to<not set>. If Values are already set to <not set> then try to do Solution 1.
  7. Open IIS Manager on your CAS server, go to "Application Pools", right-click MSExchangeOWAAppPool and click Recycle.

Exchange 2010 SP3 RU28/29/30 ended prematurely (Management Framework 3.0 on Server)

Server 2008R2, Exchange 2010 SP3, ROLLUP 27 installed, 2x DAG Mailbox Server (Netapp Snap Manager for Exchange 7.2.1), CAS-Servers all went fine to Upgrade to RU30

 

This KB is all about a built in Exchange 2010 Powershell Script from Microsoft where they complain or wonder about Powershell from Microsoft. A finally statement has following comment:

"Curious PS behavior: It appears that 'return' trumps 'throw', so don't return..."

 

What we try to do:

We install RU28/29 or 30 on Exchange 2010 SP3 with some "World famous" Netapp Software for Exchange Backup SnapManager or some Netapp Partner tool.

Because it's "Freaky" the Netapp people install Microsoft Management Framework 3.0 or 4.0. So they have a little plug-in somewhere or can freak around with Power shell to show off their skills to other people. Because their football field size compatibility matrix shows they have to upgrade they update.

So the real problem is the Management Framework 3.0 or 4.0 installed by some Netapp Software or a partner plugin from a Netapp company.

 

This is what happens:

Regular approved setup, elevated, services no needed Stopped, Execution Policy Unsigned.

Error

Setup Wizard for Update Rollup for Exchange Server 2010 Service Pack 3 ended prematurely because of an error. Your system has not been modified. To install this program at a later time, please run the installation again.

 

Event 1023, Msiinstaller, Application, Update Rollup

 

As always you did check:

  • The account you update is not some lockdown crap admin.s admin.c User which has no Schema, ADS-permission
  • Set-executionpolicy unrestricted
  • Disabled Cert Revocation Check in IE/EDGE > Options
  • Make a cmd.exe on Desktop run that ELEVATED (Run as Administartor)
  • Shortly disable AV even if it's Mcafee ENS ;-)

But that was not the error here….

 

Try to re-run it with debug option so you see more:

D:\edv\RU30\Exchange2010-KB4536989-x64-en.msp /lvx D:\edv\RU30\RU30_InstallationLogFile.log

Also check everything under C:\ExchangeSetupLogs\*.log

 

Logfile Debug:

MSI (c) (C4:C8) [21:28:16:082]: Product: Microsoft Exchange Server - Update 'Update Rollup 30 for Exchange Server 2010 Service Pack 3 (KB4536989) 14.3.496.0' could not be installed. Error code 1603. Additional information is available in the log file D:\edv\Exchange_2010_SP3_ROLLUP_30\RU30_InstallationLogFile.log.

 

MSI (c) (C4:C8) [21:28:16:082]: Windows Installer installed an update. Product Name: Microsoft Exchange Server. Product Version: 14.3.123.4. Product Language: 1033. Manufacturer: Microsoft Corporation. Update Name: Update Rollup 30 for Exchange Server 2010 Service Pack 3 (KB4536989) 14.3.496.0. Installation success or error status: 1603.

MSI (c) (C4:C8) [21:28:16:113]: MainEngineThread is returning 1603

 

Remark Butsch:

 

Return MSI error normal helps if the MSI just copied a few files and registry keys. If the MSI starts one hundred powershells and it fails the error means almost nothing. That's like you trigger a start.cmd which calls a start.bat and that calls a start.vbs and somewhere you should capture an %errorlevel%

Lets search for [ERROR] in all Exchange logs > As example under c:\exchangesetuplogs\*.log

Check the logfile C:\ExchangeSetupLogs\ServiceControl.log for [ERROR]

 

[20:18:24] [Error] System.Management.Automation.ParseException: At D:\Program Files\Microsoft\Exchange Server\V14\Scripts\ManageScheduledTask.ps1:462 char:5

+ return $success

 

Solution 1:

Microsoft recommends to UNINSTALL Management Framework 3.0 or 4.0 > Install the Rollup > RE-Install Management Framework 3.0 or 4.0 and pray.

Solution 2:

Just give the Service Pack RU (The Powershell) what it wants. A return value $success. ;-) As you can guess not official supported says the guy who wrote the comments in the PS code? It's really in the beginning when the Rollup checks Services, Checks that Powershell runs etc.

Backup the file then Modify file ManageScheduledTask.ps1 from "D:\Program Files\Microsoft\Exchange Server\V14\Scripts" Line 462.

Change line 462 from "Return $success" To "# Return $success"

Just put the # and a space in front of it (Exclude)

OR this worked too….

Change line: "Return $success" to "Write-Output $success"

 

The comments speaks for their self in this Microsoft Script. Microsoft about Microsoft ;-)

How to turn off Autodiscover Warning in Outlook 2010, 2013, 2016, 2019

How to turn off Autodiscover Warning in Outlook 2010/2013/2016/2019 (Exchange 2010/2013/2016)

Warnung: Das Konto wurde fuer die Einstellung auf die Website umgeleitet

https://support.microsoft.com/en-us/help/2480582/how-to-suppress-the-autodiscover-redirect-warning-in-outlook

A little bit more explained than in the Microsoft KB and with a check THAT if you ONLY set the Registry key if the OFFICE Version is installed. During Migrations you could otherwise run into trouble if this key re-applies just the time you migrate to next office version.

This after you done Split DNS and integrated Autodiscover like you should.

http://www.butsch.ch/post/Exchange-200720102013-with-SPLIT-DNS-and-ONE-single-Certificate.aspx

 

We have:

Autodiscover.butsch.ch    (Exchange Server Autodiscover DNS entries)

mail.butsch.ch (Exchange Server)

This is what we don't want:

Make a new GPO policy.

Erstellen neue GPO:

 

Registry Keys:

"Software\Microsoft\Office\14.0\Outlook\AutoDiscover\RedirectServers" (Office 2010)

"Software\Microsoft\Office\15.0\Outlook\AutoDiscover\RedirectServers" (Office 2013)

"Software\Microsoft\Office\16.0\Outlook\AutoDiscover\RedirectServers" (Office 2016)

Office 97 - 7.0

Office 98 - 8.0

Office 2000 - 9.0

Office XP - 10.0

Office 2003 - 11.0

Office 2007 - 12.0

Office 2010 - 14.0 (sic!)

Office 2013 - 15.0

Office 2016 - 16.0

Office 2019 - 16.0 (sic!)