On December 12th 2017, Microsoft published with the CVE-2017-11932 the Security Update KB4045655 for Exchange 2016 CU6 & CU7 which closes a Spoofing Vulnerability.

"A spoofing vulnerability exists in Microsoft Exchange Server when Outlook Web Access (OWA) fails to properly handle web requests. An attacker who successfully exploited the vulnerability could perform script or content injection attacks, and attempt to trick the user into disclosing sensitive information. An attacker could also redirect the user to a malicious website that could spoof content or be used as a pivot to chain an attack with other vulnerabilities in web services.

To exploit the vulnerability, an attacker could send a specially crafted email containing a malicious link to a user. An attacker could also use a chat client to social engineer a user into clicking the malicious link. However, in both examples the user must click the malicious link. The security update addresses the vulnerability by correcting how OWA validates web requests."

Details to the KB4045655 can be found on this link.

Some feedbacks reached me, that after installing the Security Update KB4045655 the ECP & OWA where destroyed and some problems with the FastSearch and Index as well as the Database Replication occure.

If starting ECP on the Exchange Server, one of the following errors shows up.

or

In the EventLog there are multiple Warnings like:

Event ID 1310 Source: ASP.NET 4.0.30319.0

If you look at this event more deeply, you may find that the problem originated from the Exchange Back End website for ECP (and also OWA).

The problem is, that in the IIS Exchange Back End under ECP the value for BinSearchFolders is invalid.

The following list describes the steps that need to be taken to solve the problem.

1. Open Internet Information Services (IIS) Manager

2. Expand Sites and Exchange Back End

3. Click ecp and open Application Settings in /ecp Home

4. Check the value for BinSearchFolders - if it is like %ExchInstDir% you need to change it to (no space between) C:\Program Files\Microsoft\Exchange Server\V15\bin;C:\Program Files\Microsoft\Exchange Server\V15\bin\CmdletExtensionAgents;C:\Program Files\Microsoft\Exchange Server\V15\CLientAccess\Owa\bin

5. Now go to the Windows File Explorer and open the web.config file under C:\Program Files\Microsoft\Exchange Server\V15\ClientAccess\Owa Check if you find any %ExchangeInstallDir% in this file, replace it with C:\Program Files\Microsoft\Exchange Server\V15\

6. Do the same with the web.config file under the same path but ecp instead of owa

7. After that all, run IISReset

8. Then you should be able to connect to the ecp and owa website, if not you need to run the UpdateCas.ps1 Script, which you find in the Exchange Scripts folder.Run Exchange Management Shell as administrator Type cd $exscripts (Enter) and then UpdateCas.ps1

After you have done this steps, the Warnings should be gone and you should be able to use ECP and OWA again.

In the EventLog you find also some Errors like:

Event ID 1012 Source: MSExchangeIS

The problem is, that the Search Host Controller Service was stopped and disabled with the installation of the Security Update KB4045655.

So all you need to do is, change the startup type to automatically and then start the service.

After some time, the problem is solved and you can check also Get-DatabaseCopyStatus * to get the status of all databases in the DAG.

Leave me feedback if you have any other problems or questions.

#Exchange #ExchangeDAG #ExchangeMaintenance #Security #KB4045655 #OWA #ECP #CU6 #CU7