A month after heise Security reported on the dramatic number of vulnerable systems, the situation has improved but not eased.
A dangerous vulnerability in Exchange has been known since February, to which at least 32,000 servers in Germany are still vulnerable. Since heise Security drew attention to the dramatic situation with the Exchange patch status a month ago and informed the BSI of those affected, around 25% of the operators have reacted. But the digital existence of over 30,000 German companies is still hanging by a thread.
Our discussions with Exchange administrators have also brought to light a plausible explanation as to why so many Systems not receiving important security updates. Actually, WSUS is a largely automated update system for Microsoft systems in company environments. The admin is informed about upcoming security updates and only has to approve them in order to import them.
The update trap CU
But since Exchange 2013 has quarterly Cumulative Updates (CU), which are something like service packs. These do not appear in WSUS and can only be installed manually. Each CU is virtually a full Exchange installation that can also contain new functions and cannot be undone. Many admins therefore shy away from installing these CUs for a variety of reasons.
The problem, however, is that Micrsosoft only provides security updates for the current CU and its predecessor – i.e. only for systems that have a maximum are half a year old. For example, with CVE-2020-0688 in Exchange 2016, the vital patches are only for CU14 and CU15 (the later CUs already contain the update). So if you haven’t imported a CU manually since September 17, 2019, you won’t even see this important security update in WSUS. The server appears green there, although it is missing important security updates.
The situation is serious; the gap is already being actively exploited. So anyone who administers a Microsoft Exchange Server should immediately check whether it is on the latest CU version. If not, he should change that as soon as possible. And then schedule time to repeat this process quarterly.