View all newsletters
Receive our newsletter - data, insights and analysis delivered to you
  1. Technology
  2. Cybersecurity
February 26, 2020updated 27 Feb 2020 9:32am

Microsoft Exchange Server Vulnerability: Mass Scanning Starts as Exploit Details Land

"An attacker can execute arbitrary .NET code on the server..."

By CBR Staff Writer

A major security flaw affecting every single supported version of Microsoft Exchange Server leaves attackers able to “divulge or falsify corporate email communications at will”, Trend Micro’s Zero Day Initiative (ZDI) warned this week.

Details of how to exploit the vulnerability – reported to ZDI by an anonymous security researcher – are now public, meaning bad actors are likely to be working on attacks based on the technique. Microsoft is warning that the bug will be exploited in the next 30 days if admins have not patched their systems. Millions are likely affected.

Mass scanning for the vulnerability has reportedly started already.

Microsoft Exchange Server Vulnerability: Official Patched, but… 

A patch for the vulnerability, CVE-2020-0688 has been available since Feb 18 as part of Microsoft’s monthly “Patch Tuesday“, but many companies delay regular patching over fears of downtime or unexpected system side-effects, heightening security risks.

Content from our partners
How businesses can safeguard themselves on the cyber frontline
How hackers’ tactics are evolving in an increasingly complex landscape
Green for go: Transforming trade in the UK

(Some 46 percent suffered a security incident caused by an unpatched vulnerability in 2019 as result, according to a major survey of CISOs by Cisco this week).

This bug was initially attributed to a memory corruption vulnerability.

ZDI, one of the leading bug bounty programmes, notes that Microsoft has since revised its write-up to correctly state that the vulnerability “results from Exchange Server failing to properly create unique cryptographic keys at the time of installation.”

While exploitation requires initial user authentication, there is no shortage of tools for malicious hackers (and white hats) that pull company staff details from LinkedIn, identify email addresses then work to gain access via credential stuffing. Companies presenting Exchange directly to the internet need to patch urgently. 

ZDI said: “Specifically, the bug is found in the Exchange Control Panel (ECP) component. The nature of the bug is quite simple. Instead of having randomly-generated keys on a per-installation basis, all installations of Microsoft Exchange Server have the same validationKey and decryptionKey values in web.config.

“These keys are used to provide security for ViewState. ViewState is server-side data that ASP.NET web applications store in serialized format on the client. The client provides this data back to the server via the __VIEWSTATE request parameter.”

ZDI added: “Due to the use of static keys, an authenticated attacker can trick the server into deserializing maliciously crafted ViewState data. With the help of YSoSerial.net, an attacker can execute arbitrary .NET code on the server in the context of the Exchange Control Panel web application, which runs as SYSTEM.”

Starting in May last year Microsoft users were given more control over when their system initiates the latest Microsoft security update. The change came after Version 1809 exhibited severe bugs and subsequently became the first major Windows update to face a recall for quality reasons; with users no longer facing forced updates.

See Also: Microsoft Promises Closer Coordination with OEMs, Software Vendors After Botched Update

Websites in our network
Select and enter your corporate email address Tech Monitor's research, insight and analysis examines the frontiers of digital transformation to help tech leaders navigate the future. Our Changelog newsletter delivers our best work to your inbox every week.
  • CIO
  • CTO
  • CISO
  • CSO
  • CFO
  • CDO
  • CEO
  • Architect Founder
  • MD
  • Director
  • Manager
  • Other
Visit our privacy policy for more information about our services, how New Statesman Media Group may use, process and share your personal data, including information on your rights in respect of your personal data and how you can unsubscribe from future marketing communications. Our services are intended for corporate subscribers and you warrant that the email address submitted is your corporate email address.
THANK YOU