Microsoft hat neue Sicherheitsupdates für alle Exchange Server Versionen (2013 – 2019) veröffentlicht. Es dürfte sich dabei um die Beseitigung der Schwachstellen handeln, welche beim Pwn2Own 2021 were used to attack Exchange Server. The following vulnerabilities are fixed:
Here is a description from the Pwn2Own website, presumably this vulnerability is now being fixed:
The DEVCORE team combined an authentication bypass and a local privilege escalation to complete take over the Exchange server.
Team Viettel successfully demonstrated their code execution on the Exchange server, but some of the bugs they used in their exploit chain had been previously reported in the contest. This counts as a partial win but does get them 7.5 Master of Pwn points.
Source: https://www.zerodayinitiative.com/blog/2021/4/2/pwn2own-2021-schedule-and-live-results
The available updates should be installed as soon as possible. There are currently no active exploits, but this will probably change quickly when the updates become available, as the updates will also make the security gaps public. We all want to avoid an update disaster like the recent HAFNIUM exploit. One small advantage now is that hopefully all Exchange servers are already at the latest patch level.
The updates can be found here:
Here you can see the update path for installing the April updates:
Here is another article from the Microsoft Security Response Center:
Microsoft also explicitly points out that the manual installation of the update must be carried out using a shell in "Elevated" mode ("Run as administrator"). Here is an example of the "Elevated Shell":
Alternatively, the update can of course also be installed via WSUS, Windows Update or other tools. If the Exchange Server update goes wrong, you can find some possible solutions to the problems here:
Update 14.04.21: The vulnerabilities used in Pwn2Own have not yet been fixed by these updates. The vulnerabilities mentioned here are other security gaps. It is therefore likely that further updates will follow in the near future.