A major security flaw affecting every single supported version of Microsoft Exchange Server leaves attackers able to “divulge or falsify corporate email communications at will”, Trend Micro’s Zero Day Initiative (ZDI) warned this week.
Details of how to exploit the vulnerability – reported to ZDI by an anonymous security researcher – are now public, meaning bad actors are likely to be working on attacks based on the technique. Microsoft is warning that the bug will be exploited in the next 30 days if admins have not patched their systems. Millions are likely affected.
Mass scanning for the vulnerability has reportedly started already.
CVE-2020-0688 mass scanning activity has begun. Query our API for "tags=CVE-2020-0688" to locate hosts conducting scans. #threatintel
— Bad Packets Report (@bad_packets) February 25, 2020
Microsoft Exchange Server Vulnerability: Official Patched, but…
A patch for the vulnerability, CVE-2020-0688 has been available since Feb 18 as part of Microsoft’s monthly “Patch Tuesday“, but many companies delay regular patching over fears of downtime or unexpected system side-effects, heightening security risks.
(Some 46 percent suffered a security incident caused by an unpatched vulnerability in 2019 as result, according to a major survey of CISOs by Cisco this week).
This bug was initially attributed to a memory corruption vulnerability.
ZDI, one of the leading bug bounty programmes, notes that Microsoft has since revised its write-up to correctly state that the vulnerability “results from Exchange Server failing to properly create unique cryptographic keys at the time of installation.”
While exploitation requires initial user authentication, there is no shortage of tools for malicious hackers (and white hats) that pull company staff details from LinkedIn, identify email addresses then work to gain access via credential stuffing. Companies presenting Exchange directly to the internet need to patch urgently.
ZDI said: “Specifically, the bug is found in the Exchange Control Panel (ECP) component. The nature of the bug is quite simple. Instead of having randomly-generated keys on a per-installation basis, all installations of Microsoft Exchange Server have the same validationKey and decryptionKey values in web.config.
“These keys are used to provide security for ViewState. ViewState is server-side data that ASP.NET web applications store in serialized format on the client. The client provides this data back to the server via the __VIEWSTATE request parameter.”
This will have huge impact!, another great example on how RCE can be achieved on OWA easily through ViewState deserialization attack. Red Teamers it's your chance now 🙂https://t.co/Qu5CW01gkc
— Ahmed Aboul-Ela (@aboul3la) February 25, 2020
ZDI added: “Due to the use of static keys, an authenticated attacker can trick the server into deserializing maliciously crafted ViewState data. With the help of YSoSerial.net, an attacker can execute arbitrary .NET code on the server in the context of the Exchange Control Panel web application, which runs as SYSTEM.”
Starting in May last year Microsoft users were given more control over when their system initiates the latest Microsoft security update. The change came after Version 1809 exhibited severe bugs and subsequently became the first major Windows update to face a recall for quality reasons; with users no longer facing forced updates.
See Also: Microsoft Promises Closer Coordination with OEMs, Software Vendors After Botched Update
