Trend Micro’s Zero Day Initiative (ZDI) informed this week that a major security flaw affecting every single supported version of Microsoft Exchange Server leaves attackers the ability to divulge or falsify corporate email communications at will.
Attackers are actively scanning the Internet for Microsoft Exchange Servers vulnerable to the CVE-2020-0688 remote code execution vulnerability patched by Microsoft two weeks ago.
Cybersecurity researcher Kevin Beaumont warns that the vulnerability could be availed for exploitation and become a vector for ransomware groups early in the future.
Details of how to exploit the vulnerability that was reported to ZDI by an anonymous security researcher, are now public.
The flaw (CVE-2020-0688) – initially classified by Microsoft as a memory corruption vulnerability – exists in the Exchange Control Panel (ECP) component and it is caused by Exchange’s inability to create unique cryptographic keys when being installed.
Once exploited, it allows authenticated attackers to execute code remotely with SYSTEM privileges on an exploited server and fully compromise it.
“Microsoft rated this as Important in severity, likely because an attacker must first authenticate. It should be noted, however, that within an enterprise, most any user would be allowed to authenticate to the Exchange server,” explained ZDI security researcher Simon Zuckerbraun.
“Similarly, any outside attacker who compromised the device or credentials of any enterprise user would be able to proceed to take over the Exchange server. Having accomplished this, an attacker would be positioned to divulge or falsify corporate email communications at will.”
To exploit this flaw attackers simply have to find vulnerable servers that are accessible on the Internet, search for email addresses they collect from the Outlook Web Access, portal URL, and get relevant dumps from previous data breaches.
Next, they only have to launch a credential stuffing attack and keep at it until they get a hit and can login to the server. Once in, all that’s left is to exploit the CVE-2020-0688 vulnerability and fully compromise the targeted Exchange server.
The security update descriptions for all supported Microsoft Exchange Server versions:
|Microsoft Exchange Server 2010 Service Pack 3 Update Rollup 30||4536989||Security Update|
|Microsoft Exchange Server 2013 Cumulative Update 23||4536988||Security Update|
|Microsoft Exchange Server 2016 Cumulative Update 14||4536987||Security Update|
|Microsoft Exchange Server 2016 Cumulative Update 15||4536987||Security Update|
|Microsoft Exchange Server 2019 Cumulative Update 3||4536987||Security Update|
|Microsoft Exchange Server 2019 Cumulative Update 4||4536987||Security Update|
Microsoft is warning that the bug will be exploited in the next 30 days if admins have not patched their systems. Millions are likely affected.
Organizations running on-premise Exchange (any supported version (2010, 2013, 2016, 2019) up until the recent patch) would do well to patch as soon as possible, as scanning for vulnerable internet-facing servers has already begun.
Because no mitigations or workarounds exist for this flaw, Exchange Server administrators should patch their servers before hackers get to them.
Secure Your Organization’s Mind with Securemind.se