CVE-2023-21709

FAQ

What privileges could be gained by an attacker who successfully exploited the vulnerability?

The attacker would be able to login as another user successfully.

How could an attacker exploit this vulnerability?

In a network-based attack, an attacker could brute force user account passwords to log in as that user. Microsoft encourages the use of strong passwords that are more difficult for an attacker to brute force.

Why is the severity for this CVE rated as Important, but the CVSS score is 9.8?

The Microsoft proprietary severity rating does not align with the CVSS scoring system. In this case, the severity rating of Important (rather than Critical) reflects the fact that brute-force attacks are unlikely to succeed against users with strong passwords. The CVSS scoring system doesn't allow for this type of nuance.

Update October 10-10-2023

Is there new information available regarding this CVE?

Yes, CVE-2023-36434 which was published October 10, 2023 addresses a vulnerability in Windows IIS that completely mitigates this Exchange vulnerability. If you have applied the additional steps documented in the following FAQ, please read the Exchange Blog for details on what to do now regarding this vulnerability as well as what to do for the new Windows IIS vulnerability.

Are there additional steps needed to protect against this vulnerability?

Yes, in addition to installing the updates a script must be run. Alternatively you can accomplish the same by running commands from the command line in a PowerShell window or some other terminal.

Follow the following steps:

1. (Strongly recommended) Install Exchange Server 2016 or 2019 August SU (or later)
2. Do one of the following:

• Apply the solution for the CVE automatically on your servers, run the CVE-2023-21709.ps1 script. You can find the script and the documentation here: https://aka.ms/CVE-2023-21709ScriptDoc.

or

• Apply the solution for the CVE manually on each server, by running the following command from an elevated PowerShell window:

Clear-WebConfiguration -Filter "/system.webServer/globalModules/add[@name='TokenCacheModule']" -PSPath "IIS:\"

1. To roll-back the solution for the CVE manually on each server, run the following:

New-WebGlobalModule -Name "TokenCacheModule" -Image "%windir%\System32\inetsrv\cachtokn.dll"

Although Microsoft recommends installing the security updates as soon as possible, running the script or the commands on a supported version of Exchange Server prior to installing the updates will address this vulnerability.

Is there anything that I should be aware of if I'm running a non-English operating system and version of Exchange server?

Yes, an issue has been discovered with the non-English August updates of Exchange Server and you should postpone installing these updates. The script protecting customers from the vulnerability documented by CVE-2023-21709 can be run to protect against the vulnerability without installing the August updates. Microsoft recommends running the script.

August 15, 2023 Update: The known issue affecting the non-English August updates of Exchange Server has been resolved. Microsoft recommends installing the updated packages as soon as possible.

Please see the Exchange Blog for more information.