Microsoft hat neue Sicherheitsupdates für alle Exchange Server Versionen (2013 – 2019) veröffentlicht. Diesmal handelt es sich um die Schwachstellen, welche beim Pwn2Own 2021 have been successfully used to attack Exchange servers.
The following vulnerabilities are fixed:
Here is a description from the Pwn2Own website, presumably this vulnerability is now being fixed:
The DEVCORE team combined an authentication bypass and a local privilege escalation to complete take over the Exchange server.
Team Viettel successfully demonstrated their code execution on the Exchange server, but some of the bugs they used in their exploit chain had been previously reported in the contest. This counts as a partial win but does get them 7.5 Master of Pwn points.
Source: https://www.zerodayinitiative.com/blog/2021/4/2/pwn2own-2021-schedule-and-live-results
Die verfügbaren Updates sollten möglichst zeitnah eingespielt werden. Aktuell sind keine aktiven Exploits bekannt, dies kann sich aber bekanntlich schnell ändern, da mit der Verfügbarkeit der Updates auch oft die Schwachstellen an sich öffentlich gemacht werden.
The updates can be found here:
Here you can see the update path for installing the May updates:
Microsoft also explicitly points out that the manual installation of the update must be carried out using a shell in "Elevated" mode ("Run as administrator"). Here is an example of the "Elevated Shell":
Alternatively, the update can of course also be installed via WSUS, Windows Update or other tools. If the Exchange Server update goes wrong, you can find some possible solutions to the problems here:
The security updates also contain three known problems, which are described in the article on the Exchange Team Blog:
The next CU, which will contain these updates, is expected in June 2021.