Attackers probing for vulnerable Microsoft Exchange Servers, is yours one of them?
CVE-2020-0688, a remote code execution bug in Microsoft Exchange Server that has been squashed by Microsoft in early February, is ripe for exploitation and could become a vector for ransomware groups in coming months, warns cybersecurity researcher Kevin Beaumont.
Organizations running on-premise Exchange – any supported version (2010, 2013, 2016, 2019) up until the recent patch – would do well to patch as soon as possible, as scanning for vulnerable internet-facing servers has already begun.
CVE-2020-0688 exploitation
CVE-2020-0688, initially classified by Microsoft as a memory corruption vulnerability turned out to be caused by Exchange Server failing to properly create unique cryptographic keys at the time of installation.
More technical details and a demonstration of CVE-2020-0688 exploitation have been published on Tuesday by Trend Micro’s Zero Day Initiative, which served as an intermediary between Microsoft and the anonymous researcher who discovered it.
ZDI security researcher Simon Zuckerbraun reiterated their initial position that the flaw should be rated as Critical.
“Microsoft rated this as Important in severity, likely because an attacker must first authenticate. It should be noted, however, that within an enterprise, most any user would be allowed to authenticate to the Exchange server,” he explained.
“Similarly, any outside attacker who compromised the device or credentials of any enterprise user would be able to proceed to take over the Exchange server. Having accomplished this, an attacker would be positioned to divulge or falsify corporate email communications at will.”
🚨 Microsoft Exchange remote code execution using IIS, simple ascii web request to code execution as SYSTEM on all versions of Exchange (including unsupported) using internet interface🚨 Needs authentication, I’ll explain why not a big hurdle in thread. https://t.co/GKBGuEv28E
— Kevin Beaumont (@GossiTheDog) February 25, 2020
Having SYSTEM access to an Exchange Server and running Mimikatz could also give attackers access to plain-text user passwords, Beaumont noted.
Patch ASAP!
As noted before, the probing for vulnerable servers has already begun (some of it possibly by security researchers):
That was quick, since 2 hours ago seeing likely mass scanning for CVE-2020-0688 (Microsoft Exchange 2007+ RCE vulnerability). pic.twitter.com/Kp3zOi5AOA
— Kevin Beaumont (@GossiTheDog) February 25, 2020
CVE-2020-0688 mass scanning activity has begun. Query our API for "tags=CVE-2020-0688" to locate hosts conducting scans. #threatintel
— Bad Packets Report (@bad_packets) February 25, 2020
No mitigations or workarounds exist for this flaw, so Exchange Server administrators should deploy the patch as soon as their testing is complete.
“Microsoft lists this with an Exploit Index of 1, which means they expect to see exploits within 30 days of the patch release. As demonstrated, that certainly seems likely,” Zuckerbraun concluded.
UPDATE (February 29, 2020, 1:35 a.m. PT): TrustedSec published a quality write-up about how to detect exploitation of the flaw.