The Exchange Team asked admins to deploy a new and “better” patch for a critical Microsoft Exchange Server vulnerability initially addressed in August.
Tracked as CVE-2023-21709 and patched during August 2023 Patch Tuesday, the security flaw enables unauthenticated attackers to escalate privileges on unpatched Exchange servers in low-complexity attacks that don’t require user interaction.
“In a network-based attack, an attacker could brute force user account passwords to log in as that user. Microsoft encourages the use of strong passwords that are more difficult for an attacker to brute force,” Microsoft explained.
Even though Microsoft released security updates to fix the vulnerability, it also informed Exchange admins that they’d also have to remove the vulnerable Windows IIS Token Cache module manually or use this PowerShell script to ensure their servers are protected against attacks using CVE-2023-21709 exploits.
As part of this month’s Patch Tuesday, Microsoft has now released a new security update (CVE-2023-36434) that fully addresses the CVE-2023-21709 flaw and doesn’t require any additional steps.
“During the release of August 2023 SUs, we recommended to use a manual or scripted solution and disable the IIS Token Cache module as a way of addressing CVE-2023-21709,” the Exchange Team said.
“Today, Windows team has released the IIS fix for root cause of this vulnerability, in the form of fix for CVE-2023-36434. We recommend installing the IIS fix after which you can re-enable Token Cache module on your Exchange servers.”
Admins asked to re-enable vulnerable IIS module
If you’ve already removed the Windows IIS Token Cache module to fully address the privilege escalation bug in August, you will now have to install today’s security updates and re-enable the IIS module using this script or by running the following command from an elevated PowerShell prompt:
New-WebGlobalModule -Name "TokenCacheModule" -Image "%windir%System32inetsrvcachtokn.dll"
Admins who are yet to patch the August CVE-2023-21709 security update are advised to install the Windows Server October 2023 security updates.
“We are making updates to all related August 2023 documentation pages and scripts as well as Health Checker to reflect our new recommendation,” Microsoft added.
The October 2023 Patch Tuesday security updates patched 104 flaws, 12 rated critical and three tagged as zero-day vulnerabilities actively exploited in attacks.
Microsoft refused to patch one of them, a Skype for Business Elevation of Privilege Vulnerability tracked as CVE-2023-41763 and disclosed by Dr. Florian Hauser in September 2022, until today, even though attackers can exploit it to gain access to systems on internal networks.