Exchange Server: 80% not patched against CVE-2020-0688

Posted on 2020-04-08 by guenni

[German]Very nasty: A patch against the Remote Code Execution (RCE) vulnerability CVE-2020-0688 in Microsoft's Exchange Server has been available since February 2020. But 80% of publicly available Microsoft Exchange Servers are not patched. However, the advice 'patch your server' is not always that easy.

Advertising

On the road to disaster?

I had already addressed this topic within the 2018 blog post Vulnerability in Exchange Server 2010-2019. A vulnerability CVE-2020-0688 exists in Exchange from version 2010 to 2019, an exploit for this vulnerability has been known since January 2020, and updates to close the vulnerability have been available since February 11, 2020.

Vulnerability CVE-2020-0688

The vulnerability CVE-2020-0688 is a Microsoft Exchange Validation Key Remote Code Execution vulnerability described in this Microsoft document dated February 11, 2020.  The vulnerability that could be exploited to remote code execution exists in Microsoft Exchange Server if the server is unable to create unique (cryptographic) keys during installation. 

Knowledge of a validation key allows an authenticated user with a mailbox to pass arbitrary objects to be deserialized by the Web application running as SYSTEM. Simon Zuckerbraun from the Zero Day Initiative has published this blog post on February 25, 2020 with some explanations. Tenable also has this post on the topic.

Warning end of February 2020 here in the blog

It is unfortunately a recurring theme. On February 28, 2020 I had published the article Attack to unpatched Exchange Servers (CVE-2020-0688) here in the blog. The message: Cyber criminals are currently scanning the Internet for unpatched Exchange installations in order to exploit vulnerabilities. 

Security update released on 2-11-2020

Microsoft has released a security update on 11 February 2020. This fixes the vulnerability by correcting the way Microsoft Exchange creates the keys during installation. Here are the available updates that are classified as important:

Advertising
  • Microsoft Exchange Server 2010 Service Pack 3 Update Rollup 30: KB4536989
  • Microsoft Exchange Server 2013 Cumulative Update 23: KB4536988
  • Microsoft Exchange Server 2016 Cumulative Update 14: KB4536987
  • Microsoft Exchange Server 2016 Cumulative Update 15: KB4536987
  • Microsoft Exchange Server 2019 Cumulative Update 3: KB4536987
  • Microsoft Exchange Server 2019 Cumulative Update 4: KB4536987

So the required security updates are now available and can be installed.

Worse Update quality!

But it's not that simple 'blue-eyed patch finally' road, that admins shall follow. Because Microsoft' patches are often good for serious update trouble. So I had to publish the blog post Exchange Server 2013: Issue with Security Update KB4536988 mention issues with these updates. In the article listed at the end of this blog post you can find hints how affected admins can get the Exchange Server up and running again. 

80% of systems are unpatched

In view of the situation outlined above, it's no wonder that administrators postpones patching. And now the issue comes back at the worst possible time during the Covid 19 crisis. There is a bomb ticking, because 80% of the publicly accessible Exchange Servers are probably vulnerable via CVE-2020-0688.

Bleeping Computer points this out again in the article linked in the above tweet. Background: The cyber security company Rapid7, which develops the Metasploit penetration testing framework, added a new MS Exchange RCE module to the pen testing tool on March 4, 2020. The background was that several proof-of-concept exploits had appeared on GitHub.

Starting on March 24, Rapid7 used its tool from Project Sonar to scan all publicly accessible Exchange servers on the Internet. The following tweet gives some results.

The results are not exiting. At least 357,629 (82.5%) of the 433,464 Internet-accessible Exchange servers are still vulnerable to attacks against the CVE-2020-0688 vulnerability. Follow-up tweets from Tom Sellers reveal more unsavory information.

The details can be read in this Rapid7 blog post. The post provides the Exchange builds that are considered secure. But there is also the information that you should not trust the build number displayed in Microsoft Exchange 2010 via Exchange Management Shell (EMS) and Exchange Management Console (EMC) after installing Service Pack 3. Admins of Exchange servers should therefore read the above blog post more carefully.

Time to patch (in the right way)

I read in several articles the request to 'patch now'. While it's true, the recommendation it's not sufficient. Administrators need to take measures that the Exchange servers are up and running after patching. If you are affected by an unpatched Exchange Server, you have the necessary information in the above text, including the notes in the article Exchange Server 2013: Issue with Security Update KB4536988. Maybe it will help – good luck.

Similar articles:
Vulnerability in Exchange Server 2010-2019.
Exchange Server 2013 Mail issues after Feb. 2020 Update
Microsoft recommends disabling SMBv1 on Exchange
Security information for Linux and Exchange
Attack to unpatched Exchange Servers (CVE-2020-0688)
Exchange Server 2013: Issue with Security Update KB4536988

Cookies helps to fund this blog: Cookie settings
Advertising

This entry was posted in Security, Software, Windows and tagged , , . Bookmark the permalink.

Leave a Reply

Your email address will not be published. Required fields are marked *