Microsoft pushes patch for exploited flaw in on-prem Exchange

Microsoft is urging Exchange Server administrators to patch their on-premises instances of the communications, calendaring and collaboration software as soon as possible, to handle a post-authentication vulnerability that is being actively exploited.

Exchange Servers running in Hybrid mode are also affected, Microsoft said in its advisory.

Users of Exchange 2013 CU23 who get patches via the Windows Server Update Services (WSUS) could see an error 0x80070643, event ID 20, in their log files.

Microsoft said it's working on fixing that error as soon as possible.

So let's see here, we've got exploitation in the wild for two of the Patch Tuesday updates:
CVE-2021-42321 - Microsoft Exchange
CVE-2021-42292 - Microsoft Excel

There is no update for the CVE-2021-42292 vulnerability in Excel on the Mac platform yet. pic.twitter.com/CXE09Rrcqg

— Will Dormann (@wdormann) November 9, 2021

Users can run a PowerShell script to check if exploit attempts have been made against their servers:

Get-EventLog -LogName Application -Source "MSExchange Common" -EntryType Error | Where-Object { $_.Message -like "*BinaryFormatter.Deserialize*" }

The November Patch Wednesday updates address six critical zero day bugs, and 49 important flaws including 15 remote code execution vulnerabilities in Microsoft products.

However, the updates do not include the actively exploited Excel for macOS security feature bypass vulnerability.

A proof-of-concept for this low-complexity vulnerability has been published, but Microsoft has yet to release a security update that addresses the flaw.