Microsoft has issued a more effective patch for a severe Microsoft Exchange Server vulnerability, originally fixed in August, identified as CVE-2023-21709. This vulnerability could allow unauthenticated attackers to increase their privileges on unpatched Exchange servers through relatively simple attacks that do not require user involvement.
In a scenario where the attacker uses a network-based attack, they could use brute force to crack user account passwords and gain access as that user. Microsoft has emphasized the importance of robust passwords that are harder for an attacker to brute force.
Although Microsoft has rolled out security updates to rectify this vulnerability, it has also instructed Exchange administrators to manually remove the vulnerable Windows IIS Token Cache module or utilize a specific PowerShell script to ensure their servers are shielded from attacks exploiting CVE-2023-21709.
As part of the recent Patch Tuesday, Microsoft has introduced a new security update (CVE-2023-36434) that comprehensively addresses the CVE-2023-21709 flaw without necessitating any further measures. The Exchange Team stated, "During the release of August 2023 SUs, we recommended to use a manual or scripted solution and disable the IIS Token Cache module as a way of addressing CVE-2023-21709. Today, Windows team has released the IIS fix for root cause of this vulnerability, in the form of fix for CVE-2023-36434. We recommend installing the IIS fix after which you can re-enable Token Cache module on your Exchange servers."
If administrators have already removed the Windows IIS Token Cache module to fully address the privilege escalation bug in August, they will now need to install the current security updates and reactivate the IIS module using a provided script or by executing a specific command from an elevated PowerShell prompt.
Those who have not yet installed the August CVE-2023-21709 security update are encouraged to install the Windows Server October 2023 security updates. Microsoft stated, "We are making updates to all related August 2023 documentation pages and scripts as well as Health Checker to reflect our new recommendation."
The October 2023 Patch Tuesday security updates rectified 104 flaws, with 12 deemed critical and three labeled as zero-day vulnerabilities being actively exploited in attacks. Microsoft declined to patch one of them, a Skype for Business Elevation of Privilege Vulnerability tracked as CVE-2023-41763 and disclosed by Dr. Florian Hauser in September 2022, until today, even though attackers can exploit it to gain access to systems on internal networks.