17,000+ Exchange servers at risk, says German Federal Security Office

The German Federal Office for Information Security (BSI) issues warning level orange, which means: "The IT threat situation is business-critical. Massive impairment of regular operations." The trigger is once again the disastrous security situation of Microsoft Exchange – the most important communication hub for many companies, organizations and authorities. The BSI sees the administrators as responsible for the misery, as they are not implementing the security precautions that are actually known and urgently required; however, there is no critical word towards Microsoft in the current BSI warning.

After the hafnium vulnerabilities, the BSI issued a red alert back in 2021 when almost all Exchange servers were hijacked and equipped with backdoors. The situation is currently not quite as dramatic. However, the BSI still considers at least 17,000 servers in Germany alone - which corresponds to 37% of all accessible systems - to be "highly vulnerable". In fact, "more than half of all Exchange servers in Germany are probably vulnerable to critical vulnerabilities".

The prevalence and importance of Exchange makes this a real problem: "Many schools and universities, clinics, doctors' surgeries, nursing services and other medical facilities, lawyers and tax consultants, local authorities and medium-sized companies are particularly affected," explains the BSI. And they face threats from all directions, including "the encryption of data with subsequent blackmail and ransom demands".

The root of the evil

The root of the problem is Exchange versions that are no longer supported by Microsoft (2010, 2013 with 12%), which no longer receive updates and therefore have several known and critical security vulnerabilities. These are virtually wide open; the BSI classifies their operation as "high-risk". In addition, there are current versions that do not have the latest patches (25%) and therefore also have known security vulnerabilities (such as CVE-2023-36439).

And then there are the servers where it is not possible to tell from the outside, without actually attacking them, whether all the necessary security measures, such as activating extended protection, have been taken - and that is almost half. The BSI rightly assumes that a considerable proportion of these are vulnerable to attacks. This means that more than half of all Exchange servers are probably vulnerable to attacks. Only a meagre 15 percent of servers are running the latest Exchange 2019 CU14 version, in which Microsoft activates the extended protection required for secure operation, meaning that they most likely no longer have any known vulnerabilities.

Taking remedial action

As urgently needed countermeasures, the BSI therefore calls for discontinued Exchange versions to be removed, all patches or cumulative update packages - the so-called CUs - to be installed and, of course, Extended Protection to be activated. The associated BSI warning Thousands of Microsoft Exchange servers in Germany still vulnerable to critical vulnerabilities is therefore aimed at the operators of Microsoft Exchange servers and their administrators.

They can tell you a thing or two about how difficult and time-consuming it is to keep an Exchange server up to date and therefore secure. And that the manufacturer Microsoft is often not a help, but rather part of the problem. Because they would much rather sell them a cloud subscription with annual fees. This would mean leaving the operation of their own communication center entirely to Microsoft, which is not a particularly attractive option for many in view of data protection concerns and Microsoft's own security record .

Considering the disastrous security record of Microsoft Exchange, one could of course, also place the cause and responsibility for the problem with the Exchange product or its manufacturer Microsoft. Arguments and suggestions could be made for improving the situation in this direction, or perhaps even proposing and promoting more secure alternatives. The BSI says nothing about this.

By the way: In our exclusive heise Security Pro expert forum (membership required), IT security and data protection officers from companies, public authorities and businesses discuss both the technical aspects of secure IT operations and ways in which you can escape the Microsoft quasi-monopoly. Well-founded and practice-oriented, without any flat "it wouldn't have happened with Linux". Find out more about heise Security Pro here:

(ju)