skip to Main Content

Configure Download Domains to address CVE-2021-1730 vulnerability

Your Exchange Server 2016/2019 is up to date with the latest Exchange Cumulative Update and Security Update. But when you check the Exchange Server health, it shows a security vulnerability is detected: Download Domains are not configured. This article will show how to configure Download Domains to address the CVE-2021-1730 vulnerability.

Vulnerability CVE-2021-1730

A spoofing vulnerability exists in Microsoft Exchange Server, which could result in an attack allowing a malicious actor to impersonate the user. To prevent these types of attacks, Microsoft recommends downloading inline images from different DNSdomains than the rest of OWA.

Important: Keep the Exchange Servers up to date with the latest Cumulative Update / Security Update. That’s also the case when you have an Exchange Hybrid Server for management purposes.

Check CVE-2021-1730 vulnerability status

Download and run the Exchange Server Health Checker script to detect if the Exchange Server is up to date and if the CVE-2021-1730 vulnerability exists or is already manually configured.

Generate an Exchange health report for all Exchange Servers. Run Exchange Management Shell and change the path to the C:\scripts folder.

[PS] C:\>cd C:\scripts
[PS] C:\scripts>Get-ExchangeServer | ?{$_.AdminDisplayVersion -Match "^Version 15"} | %{.\HealthChecker.ps1 -Server $_.Name}; .\HealthChecker.ps1 -BuildHtmlServersReport; .\ExchangeAllServersReport.html

This is what the Exchange health report looks like. It shows that a vulnerability is detected.

CVE-2021-1730 vulnerability detected

Go through the Exchange health report until you see the Security Vulnerabilities section.

Download Domains are not configured

The CVE-2021-1730 vulnerability is detected.

Security Vulnerabilities: Download Domains are not configured. You should configure them to be protected against CVE-2021-1730. Configuration instructions: https://aka.ms/HC-DownloadDomains

If the vulnerability is not present, you’re all set, and you can double-check and confirm that the Download Domain feature is enabled (see below).

Configure Download Domains

Configuring the Download Domains only applies and effect inline images in Outlook Web Access (OWA). So nothing will happen to the inline images in Outlook desktop or mobile application. Let’s say you configure it incorrectly, the inline images will not show up in OWA, but all inline images will work in all the other places.

What if you have all the mailboxes in Exchange Online or the organization does not use OWA? Then, we still recommend configuring Download Domains. That’s because you do not want any vulnerabilities in an organization.

To configure Download Domains go through the below steps:

Step 1. Add download domain to internal DNS

Add a new domain name with the name download that points to the primary domain name in the internal DNS.

NameTypeValue
downloadAlias (CNAME)mail.exoip.com

This is what it looks like.

CVE-2021-1730 vulnerability internal DNS CNAME

Double-click the download CNAME record to check the properties.

CVE-2021-1730 vulnerability internal DNS CNAME properties

Step 2. Add download domain to external DNS

Add a new domain name with the name download.mail that points to the primary domain name in the external DNS.

NameTTLTypeValue
download.mail5 min.CNAMEmail.exoip.com.

This is what it looks like.

CVE-2021-1730 vulnerability public DNS CNAME

Step 3. Add download domain to certificate

Add the download domain to your existing SSL certificate (SAN).

This is how the third-party certificate looks in our example.

CVE-2021-1730 vulnerability add download domain to SAN

If we don’t adjust the certificate, it will break the inline images in Outlook Web Access (OWA) because the domain name download.mail.exoip.com is not in the list.

CVE-2021-1730 vulnerability image not loading

Suppose you have a wildcard certificate, you don’t have to do anything, and you’re all set. That’s because a wildcard certificate will include all subdomains in the certificate.

Step 4. Add download domain to OWA virtual directory

Add the download domain to the OWA virtual directory using the following two cmdlets on the Exchange Server.

Note: Run the commands on all the Exchange Servers OWA virtual directory.

Internal download hostname:

 [PS] C:\>Set-OwaVirtualDirectory -Identity "EX01-2019\owa (Default Web site)" -InternalDownloadHostName "download.mail.exoip.com"

External download hostname:

[PS] C:\>Set-OwaVirtualDirectory -Identity "EX01-2019\owa (Default Web site)" -ExternalDownloadHostName "download.mail.exoip.com"

Verify that the internal and external download host names are set.

[PS] C:\>Get-OwaVirtualDirectory | ft Identity,*DownloadHostName

Identity                         ExternalDownloadHostName InternalDownloadHostName
--------                         ------------------------ ------------------------
EX01-2019\owa (Default Web Site) download.mail.exoip.com  download.mail.exoip.com
EX02-2019\owa (Default Web Site) download.mail.exoip.com  download.mail.exoip.com

Step 5. Enable Download Domains

Set the EnableDownloadDomains flag to true.

[PS] C:\>Set-OrganizationConfig -EnableDownloadDomains $true

Confirm Download Domains enabled

You should always confirm that the Download Domain is enabled successfully by following the below steps:

1. Send an email with an inline image from a user to another user in the organization.

CVE-2021-1730 vulnerability add inline image

2. Login into OWA and open the email with the inline image. The image should load and be displayed in the reading pane.

Download Domains are not configured inspect image loaded

3. Right-click the page and select Inspect to open the inspector tool.

4. Ensure that the Inspector tab is selected and select the image. Verify that the download domain URL appears.

Download Domains are not configured inspect image

5. Run the Exchange Health Checker script and check the health report.

The Exchange health report shows that there are no security vulnerabilities detected.

Exchange Health Checker report vulnerability none

That’s it! Did this help you to address the CVE-2021-1730 vulnerability?

Read more: Change DAG witness server and witness directory »

Conclusion

We showed how to configure Download Domains to address CVE-2021-1730 vulnerability. This vulnerability is not automatically addressed when you install Exchange Cumulative Update or Security Update. You must manually configure Download Domains in Exchange Server.

Did you enjoy this article? You may also like Exchange database dismounts unexpectedly. Don’t forget to follow us and share this article.

ALI TAJRAN

ALI TAJRAN

ALI TAJRAN is a passionate IT Architect, IT Consultant, and Microsoft Certified Trainer. He started Information Technology at a very young age, and his goal is to teach and inspire others. Read more »

This Post Has One Comment

  1. Great article. Yours is much better then Microsoft’s as you actually explain what to do with the SSL certificate which now I know is to add it to my SAN or use a wildcard.
    Thanks Ali

Leave a Reply

Your email address will not be published.