Flurry of reboots signal Exchange Server patching

Flurry of reboots signal Exchange Server patching

Over 100,000 Outlook Web Access servers have restarted since Microsoft released security updates for the Remote ProxyLogon Code Execution Vulnerability. The subsequent spate of restart activity likely indicates that many Microsoft Exchange servers will restart after security updates are applied.

Last restart dates of Outlook Web Access servers on March 14, 2021.

About half of all servers running Outlook Web Access (a service included with Microsoft Exchange Server) restarted in the five days after the emergency patch was released. Some of them have since restarted and are therefore shown later in the graphic above. Computer restart likely updated, but the lack of a restart after March 2 does not necessarily indicate a vulnerability. Anecdotally, most servers requested a restart after upgrading, but some might just require a service restart. However, administrators may still have chosen to restart the servers.

The original fixes from Microsoft can only be applied to servers that have the latest cumulative updates from Exchange Server installed. However, as part of the bulk exploitation of the vulnerabilities, Microsoft has also released a number of security updates that can be applied to older and unsupported Exchange servers that do not have or cannot install the latest cumulative updates.

The alternate path for security updates is intended as a temporary measure to protect vulnerable computers. Crucially, installing a later cumulative update that does not include the security fixes from March 2021 will leave the server vulnerable again. Any computer using the alternate security update path must be restarted, even if not prompted to do so. In these cases, the servers are not protected until they are restarted.

Some of the more recent reboots may have been caused by Microsoft’s March 9th Patch Tuesday software update collection, which includes fixes for remote code execution vulnerabilities in Microsoft Exchange.

On March 6, four days after the original security updates were released, Netcraft discovered that more than 99,000 Outlook Web Access servers were still running versions that Kevin Beaumont had marked as definitely vulnerable. However, applying Microsoft updates in a timely manner could have looked like closing the barn door after the horse slipped, as more than 10% of all Outlook Web Access installations visited were already compromised with web shells installed by attackers. These continue to provide the criminal with administrative access to the compromised servers after the security updates have been applied.

The last restart dates were correct as of March 14th. We’ve been able to pinpoint the time since the last restart for 82% of the IP addresses that Outlook Web Access is running on.