Sign up for our newsletter
Technology / Cybersecurity

Microsoft Exchange Server Vulnerability: Mass Scanning Starts as Exploit Details Land

A major security flaw affecting every single supported version of Microsoft Exchange Server leaves attackers able to “divulge or falsify corporate email communications at will”, Trend Micro’s Zero Day Initiative (ZDI) warned this week.

Details of how to exploit the vulnerability – reported to ZDI by an anonymous security researcher – are now public, meaning bad actors are likely to be working on attacks based on the technique. Microsoft is warning that the bug will be exploited in the next 30 days if admins have not patched their systems. Millions are likely affected.

Mass scanning for the vulnerability has reportedly started already.

White papers from our partners

— Bad Packets Report (@bad_packets) February 25, 2020

Microsoft Exchange Server Vulnerability: Official Patched, but… 

A patch for the vulnerability, CVE-2020-0688 has been available since Feb 18 as part of Microsoft’s monthly “Patch Tuesday“, but many companies delay regular patching over fears of downtime or unexpected system side-effects, heightening security risks.

(Some 46 percent suffered a security incident caused by an unpatched vulnerability in 2019 as result, according to a major survey of CISOs by Cisco this week).

This bug was initially attributed to a memory corruption vulnerability.

ZDI, one of the leading bug bounty programmes, notes that Microsoft has since revised its write-up to correctly state that the vulnerability “results from Exchange Server failing to properly create unique cryptographic keys at the time of installation.”

While exploitation requires initial user authentication, there is no shortage of tools for malicious hackers (and white hats) that pull company staff details from LinkedIn, identify email addresses then work to gain access via credential stuffing. Companies presenting Exchange directly to the internet need to patch urgently. 

ZDI said: “Specifically, the bug is found in the Exchange Control Panel (ECP) component. The nature of the bug is quite simple. Instead of having randomly-generated keys on a per-installation basis, all installations of Microsoft Exchange Server have the same validationKey and decryptionKey values in web.config.

“These keys are used to provide security for ViewState. ViewState is server-side data that ASP.NET web applications store in serialized format on the client. The client provides this data back to the server via the __VIEWSTATE request parameter.”

ZDI added: “Due to the use of static keys, an authenticated attacker can trick the server into deserializing maliciously crafted ViewState data. With the help of, an attacker can execute arbitrary .NET code on the server in the context of the Exchange Control Panel web application, which runs as SYSTEM.”

Starting in May last year Microsoft users were given more control over when their system initiates the latest Microsoft security update. The change came after Version 1809 exhibited severe bugs and subsequently became the first major Windows update to face a recall for quality reasons; with users no longer facing forced updates.

See Also: Microsoft Promises Closer Coordination with OEMs, Software Vendors After Botched Update

This article is from the CBROnline archive: some formatting and images may not be present.

CBR Staff Writer

CBR Online legacy content.