Microsoft takes another run at closing Exchange brute-force security hole

Microsoft has issued a fresh update to address an old vulnerability affecting Exchange Server 2019 and 2016 while its online service has problems of its own.

According to Microsoft, the update is another attempt at fixing CVE-2023-21709, an elevation-of-privilege vulnerability with a relatively straightforward exploitation method. A brute-force attack could allow an attacker to be authenticated as another user, assuming the password was relatively weak.

The vulnerability was dealt with in August's Patch Tuesday but also required the user to disable the IIS Token Cache module via a script or take manual action. It has taken a while, but as of this latest patch, the root cause has been apparently fully dealt with.

Microsoft said: "We recommend installing the IIS fix after which you can re-enable Token Cache module on your Exchange servers."

The Windows giant reckons customers using Exchange Online remain unaffected by the problems. Assuming, that is, they can make their email work.

Some users were reporting issues with the email service earlier today, with external email sporting a "Server busy" message.

• From chaos to cadence: Celebrating two decades of Microsoft's Patch Tuesday
• Microsoft gives unexpected tutorial on how to install Linux
• Microsoft reportedly runs GitHub's AI Copilot at a loss
• It's 2023 and Microsoft WordPad can be exploited to hijack vulnerable systems

One Register reader reported: "I currently have over a thousand mails waiting to go into the 365 infrastructure for our customers, but other larger orgs are reporting tens of thousands of emails stuck in the queue."

The Register asked Microsoft for more details on the matter, and we'll update should we hear anything back. In the meantime, the issue has been assigned EX680695 in the Admin Center.

Microsoft, in its note on the issue, said the root cause of the outage was: "A recent service update, applied to a section of infrastructure responsible for enforcing IP address anti-spam rules, contains a change which is inadvertently causing impact."

Make of that what you will, and the use of the word "inadvertently."

As for the current status for affected users, Redmond has noted the issue is lurking within its SQL infrastructure behind the scenes and the software titan is having to manually add IP addresses to an allowed list.

Our reader noted: "Seemingly despite there being a form to fill in which 'whitelists' the sending IPs, this has no effect." The timing of the outage is unfortunate, although Exchange Online is no stranger to problems. Large chunks of Microsoft 365 fell over earlier this year due to issues with Microsoft's caching infrastructure.

Today's problems look isolated to Exchange Online though are a little awkward considering Microsoft's declarations concerning the state of the service.

Maybe the best way to have the most reliable service is to have no service at all. ®