Microsoft has warned that outdated on-premises Exchange servers are no longer able to automatically apply emergency mitigations for high-risk vulnerabilities due to a change in Office Configuration Service (OCS) certificates. The announcement underscores the importance of keeping Exchange servers updated to maintain critical security protections.
Emergency Mitigations and Their Role
The Exchange Emergency Mitigation Service (EEMS), introduced in September 2021, automatically secures on-premises Exchange servers against actively exploited vulnerabilities. EEMS applies interim mitigations to protect servers until official security updates become available.
EEMS runs as a Windows service on Microsoft Exchange Mailbox servers and automatically installs on servers with the Mailbox role when administrators deploy the September 2021 (or later) cumulative updates (CU) for Microsoft Exchange Server 2016 or Microsoft Exchange Server 2019.
The Current Problem
Microsoft’s Exchange Team revealed that servers running Exchange versions older than March 2023 are now unable to contact the Office Configuration Service (OCS) to download new emergency mitigation definitions. These servers instead generate error messages such as “Error, MSExchange Mitigation Service.”
The root cause of the issue lies in the deprecation of an older certificate type used by OCS. A new certificate has already been deployed, but only servers running cumulative or security updates released after March 2023 can utilize it.
Urgent Call to Update
“If your servers are so much out of date, please update your servers ASAP to secure your email workload and re-enable your Exchange server to check for EEMS rules,” the Exchange Team urged. The team emphasized the importance of running the Exchange Server Health Checker tool, which provides detailed guidance on necessary updates.
Historical Context
The EEMS feature was introduced following a wave of severe Exchange vulnerabilities, including the ProxyLogon and ProxyShell zero-day flaws. These vulnerabilities, exploited in 2021 by state-sponsored and financially motivated threat actors, allowed attackers to breach Exchange servers before patches or mitigations were available.
One of the most significant threats was Hafnium, a Chinese state-sponsored hacking group, which used the ProxyLogon vulnerability in March 2021 to attack thousands of servers.
Microsoft’s Security Recommendations
Microsoft has consistently stressed the importance of keeping Exchange servers updated. In January 2023, the company reminded customers to apply the latest cumulative updates and patches to ensure their systems could deploy emergency security mitigations and remain secure against evolving threats.
Conclusion
Administrators managing on-premises Exchange servers should act immediately to update their servers with the latest cumulative and security updates. This ensures access to the latest EEMS mitigations and prevents potential exploitation of unpatched vulnerabilities. Staying up to date is critical for maintaining a secure and resilient email environment.
