Skip to main content

Your Exchange Server 2016/2019 is up to date with the latest Exchange Cumulative Update and Security Update. But when you check the Exchange Server health, it shows a security vulnerability is detected: Download Domains are not configured. This article will show how to configure Download Domains to address the CVE-2021-1730 vulnerability.

Vulnerability CVE-2021-1730

A spoofing vulnerability exists in Microsoft Exchange Server, which could result in an attack allowing a malicious actor to impersonate the user. To prevent these types of attacks, Microsoft recommends downloading inline images from different DNSdomains than the rest of OWA.

Important: Keep the Exchange Servers up to date with the latest Cumulative Update / Security Update. That’s also the case when you have an Exchange Hybrid Server for management purposes.

Check CVE-2021-1730 vulnerability status

Download and run the Exchange Server Health Checker script to detect if the Exchange Server is up to date and if the CVE-2021-1730 vulnerability exists or is already manually configured.

Generate an Exchange health report for all Exchange Servers. Run Exchange Management Shell and change the path to the C:\scripts folder.

[PS] C:\>cd C:\scripts
[PS] C:\scripts>Get-ExchangeServer | ?{$_.AdminDisplayVersion -Match "^Version 15"} | %{.\HealthChecker.ps1 -Server $_.Name}; .\HealthChecker.ps1 -BuildHtmlServersReport; .\ExchangeAllServersReport.html

This is what the Exchange health report looks like. It shows that a vulnerability is detected.

CVE-2021-1730 vulnerability detected

Go through the Exchange health report until you see the Security Vulnerabilities section.

Download Domains are not configured

The CVE-2021-1730 vulnerability is detected.

Security Vulnerabilities: Download Domains are not configured. You should configure them to be protected against CVE-2021-1730. Configuration instructions:

If the vulnerability is not present, you’re all set, and you can double-check and confirm that the Download Domain feature is enabled (see below).

Configure Download Domains

Configuring the Download Domains only applies and effect inline images in Outlook Web Access (OWA). So nothing will happen to the inline images in Outlook desktop or mobile application. Let’s say you configure it incorrectly, the inline images will not show up in OWA, but all inline images will work in all the other places.

What if you have all the mailboxes in Exchange Online or the organization does not use OWA? Then, we still recommend configuring Download Domains. That’s because you do not want any vulnerabilities in an organization.

To configure Download Domains go through the below steps:

Step 1. Add download domain to internal DNS

Add a new domain name with the name download that points to the primary domain name in the internal DNS.

Name Type Value
download Alias (CNAME)

This is what it looks like.

CVE-2021-1730 vulnerability internal DNS CNAME

Double-click the download CNAME record to check the properties.

CVE-2021-1730 vulnerability internal DNS CNAME properties

Step 2. Add download domain to external DNS

Add a new domain name with the name download.mail that points to the primary domain name in the external DNS.

Name TTL Type Value
download.mail 5 min. CNAME

This is what it looks like.

CVE-2021-1730 vulnerability public DNS CNAME

Step 3. Add download domain to certificate

Add the download domain to your existing SSL certificate (SAN).

This is how the third-party certificate looks in our example.

CVE-2021-1730 vulnerability add download domain to SAN

If we don’t adjust the certificate, it will break the inline images in Outlook Web Access (OWA) because the domain name is not on the list.

CVE-2021-1730 vulnerability image not loading

Suppose you have a multi-domain wildcard certificate, you don’t have to do anything, and you’re all set. That’s because a multi-domain wildcard certificate will secure multi-level subdomains.

Note: If you have a wildcard certificate, it will not work, and you must create a multi-domain wildcard certificate or create a SAN certificate, including the subdomain.

Step 4. Add download domain to OWA virtual directory

Add the download domain to the OWA virtual directory using the following two cmdlets on the Exchange Server.

Note: Run the commands on all the Exchange Servers OWA virtual directory.

Internal download hostname:

 [PS] C:\>Set-OwaVirtualDirectory -Identity "EX01-2019\owa (Default Web site)" -InternalDownloadHostName ""

External download hostname:

[PS] C:\>Set-OwaVirtualDirectory -Identity "EX01-2019\owa (Default Web site)" -ExternalDownloadHostName ""

Verify that the internal and external download host names are set.

[PS] C:\>Get-OwaVirtualDirectory | ft Identity,*DownloadHostName

Identity                         ExternalDownloadHostName InternalDownloadHostName
--------                         ------------------------ ------------------------
EX01-2019\owa (Default Web Site)
EX02-2019\owa (Default Web Site)

Step 5. Enable Download Domains

Set the EnableDownloadDomains flag to true.

[PS] C:\>Set-OrganizationConfig -EnableDownloadDomains $true

Step 6. Restart Internet Information Services (IIS)

Restart the Internet Information Services (IIS).

[PS] C:\>iisreset

Confirm Download Domains enabled

You should always confirm that the Download Domain is enabled successfully by following the below steps:

1. Send an email with an inline image from a user to another user in the organization.

CVE-2021-1730 vulnerability add inline image

2. Login into OWA and open the email with the inline image. The image should load and be displayed in the reading pane.

Download Domains are not configured inspect image loaded

3. Right-click the page and select Inspect to open the inspector tool.

4. Ensure that the Inspector tab is selected and select the image. Verify that the download domain URL appears.

Download Domains are not configured inspect image

5. Run the Exchange Health Checker script and check the health report.

The Exchange health report shows that there are no security vulnerabilities detected.

Exchange Health Checker report vulnerability none

That’s it! Did this help you to address the CVE-2021-1730 vulnerability?

Leave a Reply