CVE-2023-23397 Frequently Asked Questions
What is the relationship of Exchange Server March 2023 SU and Outlook fix for CVE-2023-23397?
Those two updates are completely independent from each other. Exchange SUs address Exchange vulnerabilities and security improvements. We mentioned the Outlook CVE-2023-23397 update in the Exchange March SU release to raise the awareness to our customers, as we know most use Outlook for Windows. Exchange March SU does not address CVE-2023-23397, you need to install Outlook update to address this vulnerability in Outlook.
Does the account running the script need to be part of Organization Management?
In OnPrem environments, the account running the script only needs the EWS Impersonation role, which is provided by adding that user to the group as described in the docs.
In Online environments, the account running the script in -CreateAzureApplication mode needs Global Admin role in order to create the Azure application used for impersonation.
In OnPrem, does the script need to be executed on the Exchange Server?
No, the script can be executed from a workstation. There are essentially two parts to running the script. First, we have to get a list of mailboxes. Second, we have to run the script against them. These steps do not necessarily need to be performed by the same user or on the same machine.
If we just want to run the script against a few users, the email addresses can be specified manually:
.\CVE-2023-23397.ps1 -Environment OnPrem -UserMailboxes "user1@contoso.com", "user2@contoso.com"
For a large number of mailboxes, an Exchange Organization Administrator could create a CSV of mailboxes to process using a command like this:
Get-Mailbox -ResultSize Unlimited | Export-Csv .\Mailboxes.csv
Then, the script could be run against the CSV file on a different machine by a different user using a command like this:
Import-Csv .\Mailboxes.csv | .\CVE-2023-23397.ps1 -Environment OnPrem
It may also be useful to break up the mailboxes into multiple files, so the script can be run against mailboxes in batches. Here is an example of how to break up the mailboxes into batches of 1000:
$batchSize = 1000; $batchNumber = 1; $count = 0; Get-Mailbox -ResultSize Unlimited | Select PrimarySmtpAddress | % {
if ($count++ -ge $batchSize) { $batchNumber++; $count = 0; }
Export-Csv -InputObject $_ -Path "Batch$batchNumber.csv" -Append
}
In OnPrem, does the -Credential parameter need to be UPN or domain\user?
Either format can be used. However, by default, the script will attempt to use the username to perform Autodiscover. If Autodiscover does not work for your UPN, or if domain\user is being specified, then Autodiscover can be skipped by providing the -EWSServerUrl parameter.
.\CVE-2023-23397.ps1 -Environment OnPrem -EWSServerUrl "https://exch1.contoso.com/EWS/Exchange.asmx"
In OnPrem, does the impersonation account need to have a mailbox?
In the current version of the script, yes, the impersonation account must have a mailbox.