Advisory Overview
All unpatched versions of Microsoft Exchange Server are vulnerable to a remote code execution bug. The attack requires successful authentication to an Exchange Server. Attackers are scanning the internet for unpatched servers and attempting to authenticate with leaked or phished credentials to exploit this bug. SKOUT recommends updating all unpatched versions of Exchange Server. More information on the patch is available below.
Technical detail and additional information
What is the threat?
An anonymous researcher reported that a new remote code execution bug has been discovered in Microsoft Exchange Server. This bug affects all supported versions of Microsoft Exchange Server up until the most recent patch. Threat actors have been scanning the internet for unpatched servers which will allow them to perform the exploit referred to as CVE-2020-0688. The bug exists within the Exchange Server’s cryptographic capabilities. This is caused by Exchange’s inability to create unique keys when installed. Once a threat actor steals the credentials of any user within the Exchange environment, they will be able to take over the server immediately. Only authentication to the server is required for the successful exploitation of this vulnerability. Vulnerable servers have been found through data dumps, searching for email addresses through the Outlook Web Access portal URL.
Why is this noteworthy?
Microsoft Exchange is a mail server and calendaring server developed used by thousands of corporations around the world. This is a critically rated vulnerability within Exchange as the inability to create can allow any attacker who can compromise the credentials of any enterprise user to take over the entire Exchange Server. There are open-source tools out there that allow attackers to scan the internet for any organizations that use Microsoft Exchange thus allowing them to attempt exploitation on systems that are not properly patched. Once an Exchange Server is compromised attackers can dump all users’ passwords since these are stored in plain text. As this is a zero-day this vulnerability should be a top priority for Exchange Server Administrators as no workaround can be put into place to prevent this attack administrators must patch servers.
What is the exposure or risk?
Leaving a Microsoft Exchange Server unpatched can allow threat actors to launch various attacks on an organization. For example, a threat attacker that can compromise an Exchange Server will be in the position to fabricate corporate email communication, drop ransomware payloads on the server and can steal user credentials from hundreds of users within minutes as these credentials are stored in plain text.
What are the recommendations?
Microsoft has an update available for this vulnerability, Exchange Server administrators should deploy the patch immediately. Microsoft has patched this vulnerability in February 2020. This vulnerability was addressed by “correcting how Microsoft Exchange creates the keys during install.” Essentially cryptographic keys are now randomized at the installation time.
Updates available via: https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-0688
References:
For more in-depth information about the recommendations, please visit the following links:
- https://www.bleepingcomputer.com/news/security/hackers-scanning-for-vulnerable-microsoft-exchange-servers-patch-now/
- https://www.thezdi.com/blog/2020/2/24/cve-2020-0688-remote-code-execution-on-microsoft-exchange-server-through-fixed-cryptographic-keys
- https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-0688
If you have any questions, please contact our Security Operations Center.
