Keep on Patching

Fifteen weeks on from the Hafnium fiasco, I hope those responsible for Exchange Server maintenance haven’t forgotten the need to keep their on-premises fully patched and up to date. Microsoft has released security updates to address issues like the remote code vulnerability reported in CVE-2021-34473 and CVE-2021-31206. The updates apply to:

  • Exchange Server 2013 CU23.
  • Exchange Server 2016 CU20 and CU21.
  • Exchange Server 2019 CU9 and CU10.

All servers, including those used for hybrid account management, must be updated.

Obviously, if you haven’t updated Exchange Server to one of the releases updated above, some extra effort is necessary to get to a suitable build.

Like taking a second vaccination dose to protect against Covid-19, full protection isn’t assured unless you also apply an Active Directory schema update. If you’re running Exchange 2016 CU21 or Exchange 2019 CU10, you’re already protected. Those running Exchange 2016 CU20 or Exchange 2019 CU9 need to extend the schema using the June 2021 cumulative updates.

For Those Running Exchange 2013

While Exchange 2016 and 2019 received schema updates through cumulative updates, Exchange 2013 was not updated in June 2021. Special processing is therefore needed for Exchange 2013 servers when Exchange 2013 is the latest server version in the organization (if it’s not, the schema updates are done when cumulative updates are applied to Exchange 2016 or 2019).

  • Go ahead and install the security update for Exchange 2013 CU23. This leaves some updates schema files on the server but does not install them. Microsoft uses the security update to distribute the schema files to servers in the absence of a cumulative update.
  • When you’re ready to extend the schema, run Setup.exe to perform the update (/prepareschema from v15\Bin). Setup will use the updated schema files left by the security update to apply the changes to Active Directory.

As always make sure that you apply Exchange server updates using an administrator account with elevated permissions. And (as pointed out in the comments), make sure that your server certificates are still valid.

Block the Attackers

One of the lessons we learned from Hafnium is how easy it is for attackers to exploit new weaknesses discovered in on-premises servers. The imperative is for administrators to stay on top of problems by installing security updates as soon as possible after Microsoft releases code. If you don’t, your servers might be on the target list for the next attack, and that wouldn’t be nice.

About the Author

Tony Redmond

Tony Redmond has written thousands of articles about Microsoft technology since 1996. He is the lead author for the Office 365 for IT Pros eBook, the only book covering Office 365 that is updated monthly to keep pace with change in the cloud. Apart from contributing to Practical365.com, Tony also writes at Office365itpros.com to support the development of the eBook. He has been a Microsoft MVP since 2004.

Comments

  1. Mike

    Hi Tony,

    Are the security updates cumulative, or do I have to install each monthly security update sequentially?

    I found conflicting answers online, so…

    Thanks
    Mike

  2. T

    I’m a little confused. After upgrading to CU20, do I also need to install the two ISU sec updates? I thought they would be included but the more I look at the more I think I didn’t really patch the server very well!

  3. Shoumorish Debnath

    Hello ,

    I have Exchange 2013 on premises running with Microsoft Exchange Server_KB5003435, I want to update the patch in KB5004778, Can you suggest whether I go ahead with this patch update.

  4. Henkjan

    Applied the update, but the Schema update not yet, can i ran schema update during production?
    We have a single server 2013 CU23 with the security patch installed trough windows updates

  5. Francesco B. B.

    Thak you for the info provided, Tony. As a double check, I am looking, on the MS site, for info regarding the need for the schema update for Exchange 2013. In the KB page you linked in the article, under installation instructions, it is not mentioned at all. Where can I find this information please? Best Regards!

  6. Chris Watkins

    Exchange 2013 CU23 here.
    None of my certificates are expired, yet this update breaks OWA with the error:
    ASSERT: HMACProvider.GetCertificates: protectionCertificates.Length <1

    Uninstalling the update makes things work fine again.
    I am not seeing any certificate errors with this update uninstalled.

    1. Avatar photo

      Did you apply the directions in https://docs.microsoft.com/en-us/exchange/troubleshoot/administration/cannot-access-owa-or-ecp-if-oauth-expired? That’s the approved way to solve the certificate problem. If the Exchange installation procedure reports an issue (which it does when it attempts to retrieve certificates), there’s a problem there that needs to be fixed.

  7. Brett

    Obviously MS provides the two Updates for Exchange 2016 CU20 and CU21.

    Are previous versions of Exchange 2016 CU’s like 19 still have this exploit ?

  8. Gustavo

    URGENT!

    Question:

    We have a Primary Datacenter AD Site´s (Internet Facing MX – Mail Flow) in where Exchange 2010 is installed, and a Second Datacenter connected with VPN and Site-To-Site MPLS (Without any version ofExchange Server). Can i introduce and upgrade from Exchange 2010 to Exchange 2016 directly intalling 2016 version them from the Second AD Site ? or i have to install Exchange 2016 into the same AD Site that already has an Exchange 2010 installed.

    Any article will very welcomming

    Thanks in advance!

    1. Avatar photo

      I hesitate to give an answer to a question like this because I don’t have enough information about your environment. You should be very cautious about taking advice from a web site when people simply don’t understand the exact conditions which exist in your organization. If this is truly an urgent situation, you should seek help from a skilled Exchange practitioner with experience of doing similar upgrades and go through a detailed review of the environment and circumstances (and be prepared to pay for their time). Free advice is worth as much as you pay for it.

    1. MP

      Thank you for posting this fix. I can confirm this fixed our issue with Exchange 2013 after the patch last night. Make sure you don’t overwrite the primary email certificate as the first command will try to do that. You only need the thumbprint for the additional command.

  9. T

    Hi,

    I too have this exact same issue with Exchange 2013.

    I have run the schema upgrade as per the article, and I can see that there are some new ldf files in the Setup folder dated 8/7/2021

    However what has not been forthcoming from anywhere is what the schema version should actually be when this is run as I am assuming it should have a new version

    1. Imthyas

      When I run the schema command,it throws out error

      1. Imt

        Sorry for not providing more info:

        When i run the schema command command, i am getting error:

        E:\Exch2013\Bin>Setup.exe /IAcceptExchangeServerLicenseTerms /PrepareSchema

        Setup encountered a problem while validating the state of Active Directory:
        The Active Directory schema version (17002) is higher than Setup’s version (153
        12). Therefore, PrepareSchema can’t be executed. See the Exchange setup log for
        more information on this error.
        For more information, visit: http://technet.microsoft.com/library(EXCHG.150
        )/ms.exch.setupreadiness.AdInitErrorRule.aspx

          1. Imt

            Thanks,it worked, i ran the setup from the directory of LDF files and it worked.
            E:\Exch2013_CU23\setup>cd data

            E:\Exch2013_CU23\setup\data>Setup.exe /IAcceptExchangeServerLicenseTerms /Prepar
            eSchema

            Microsoft Exchange Server 2013 Cumulative Update 23 Unattended Setup

            Performing Microsoft Exchange Server Prerequisite Check

            Prerequisite Analysis COMPLETED

            Configuring Microsoft Exchange Server

            Extending Active Directory schema COMPLETED

            The Exchange Server setup operation completed successfully.

  10. Imthyas

    I am also facing the same issue as above, I installed in Lab servers, but logged a change for prod.
    Not sure what to do.

  11. Michael

    I had the same issue as Damian. After uninstalling the latest security update for Exchange 2013 it works again.

  12. Sebastian

    We’ve got the Problem with the OWA also on an Exchnage 2016. An uninstall of the Pacth resolv the Problem here too.

  13. Damian

    I have applied the patches in Exchange 2016 and have not had any problems.

    On the other hand, with Exchange 2013, after applying the patch, this error appears when entering through OWA:

    ASSERT: HMACProvider.GetCertificates: protectionCertificates.Length <1

    If you uninstall the patch, it works again.

      1. Damian

        Thank you very much Tony!

        1. Tony Redmond

          Just checking, on the Exchange 2013 servers, you used the updated schema files placed into the \bin folder?

          1. Damian

            Yes, I did the /prepareschema from v15\Bin , but the result was the same.

            On the other hand I have also applied this: https://docs.microsoft.com/en-us/exchange/troubleshoot/administration/cannot-access-owa-or-ecp-if-oauth-expired

            On one of this Exchange 2013 servers, I have renewed this cert, reapplied the patch + schema and it crashes again.

            On another Exchange 2013 server, the OAuth certificate was not expired and has also failed with the same error.

            I think that the solution happens because Microsoft publishes the V2 of the patch.

      2. Ilker Aksu

        Hello Tony,
        Is this any update on that fail?
        we have same error two customers,

          1. Ilker Aksu

            Which certiifcate, we have public certificate and it is valid,
            Thx,

          2. Avatar photo

            Try running https://aka.ms/ExchangeHealthChecker the Exchange Health checker to see if it throws up something. You can also post a question direct to Microsoft at https://techcommunity.microsoft.com/t5/exchange-team-blog/released-july-2021-exchange-server-security-updates/ba-p/2523421, but before you do, make sure that you have run the health checker and collected as much information as you can about your environment.

    1. Andrew

      Had the same issue, couldn’t get into OWA or ECP. But I renewed the cert thanks to this DAY/WEEKSAVING article and it worked instantly. Couldn’t believe it to be honest.

      Thanks Tony

Leave a Reply