Exchange Server: Terrible Patch Status; v2010 reaches EOL

[German]It's a terrible image, that security firm Rapid 7 draws in it's newest report. Round about 247.000 Exchange Servers are running unpatched and are reachable from the Internet. A lot of Exchange Servers are vulnerable against CVE-2020-0688 and thousands of Exchange Server 2007 are still in use, although they are out of support.


Bleeping Computer spotted the newest Report Microsoft Exchange 2010 End of Support and Overall Patching Study from security firm Rapid 7, dealing with patch status on Microsoft Exchange Server. And the results they presented, are scary.

Microsoft Exchange Server 2010 reaches EOL

First of all, we need to annotate, that Microsoft's Exchange Server 2010 reaches End of Support (EOS) or End of Life (EOL). First it was planned, that Exchange Server 2010 shall be out of service on January 14, 2020 – at the same date, when the support for Windows Server 2008 R2 ends. Windows Server 2008 R2 is the base for Exchange Server 2010. But Microsoft's Director of Product Marketing for Exchange Server/Online, Greg Taylor, announced in a Techcommunity post that support for Exchange Server 2010 will be extended until October 13, 2020.

This extension also aligns with the end of support for Office 2010 and SharePoint Server 2010 in October 2020. It means: After October 2020 those products no longer receive updates and security patches. But that doesn't care many companies. According to the Rapid 7 Report Microsoft Exchange 2010 End of Support and Overall Patching Study, about 54,000 Exchange 2010 servers have "not been updated for six years". 

The nasty patch status of many Exchange Servers

The Rapid 7 Report Microsoft Exchange 2010 End of Support and Overall Patching Study reveals even more nasty insights about the patch status of many Exchange Servers.

Microsoft Exchange Server 2007 still in use

On April 11, 2017, Exchange Server 2007 reached end of support, so no more updates has been available since more than 3 years. But the Rapid 7 also discovered 16,577 Microsoft Exchange 2007 servers accessible via the Internet. This version of the server does not receive security updates to protect against CVE-2020-0688 attacks (see below). Terrifying conditions.


Nasty Microsoft Exchange Server 2016 patch status

Also the patch status of many Microsoft Exchange Server 2016 instances reachable from the internet is miserable. Rapid 7 uses the Internet tool Project Sonar to check whether servers are patched. Their newest findings: From ~138.000 scanned Microsoft Exchange 2016 Servers are 87% not up-to-date with security patches. 

25.000 Exchange 2019 Servers vulnerable to CVE-2020-0688

But the situation become even worse. I covered it in blog post Vulnerability in Exchange Server 2010-2019 from 2018, that there is a vulnerability CVE-2020-0688 in Exchange from version 2010 to 2019. An exploit for this vulnerability has been known since January 2020. And updates to close the vulnerability have been available from Microsoft since February 11, 2020.

On April 2020 I had warned in the blog post Exchange Server: 80% not patched against CVE-2020-0688 that many Exchange Servers were not patched against the vulnerability. The newest study from Rapid7 says that 77% of ~ 25,000 scanned Exchange 2019 Servers are vulnerable against CVE-2020-0688 due to missing security patches.

Vulnerability CVE-2020-0688

CVE-2020-0688 is a Microsoft Exchange Validation Key Remote Code Execution vulnerability described in this Microsoft document dated February 11, 2020. The vulnerability that could be exploited to remote code execution exists in Microsoft Exchange Server, if the server is unable to create unique (cryptographic) keys during installation. Knowledge of a validation key allows an authenticated user with a mailbox to pass arbitrary objects to be deserialized by the Web application running as SYSTEM. Simon Zuckerbraun from the Zero Day Initiative has published this blog post on February 25, 2020 with some explanations. Tenable also has this post on the topic. Microsoft has provided security updates for all supported Exchange Servers. Here are the available patches, all classified as important: 

  • Microsoft Exchange Server 2010 Service Pack 3 Update Rollup 30: KB4536989
  • Microsoft Exchange Server 2013 Cumulative Update 23: KB4536988
  • Microsoft Exchange Server 2016 Cumulative Update 14: KB4536987
  • Microsoft Exchange Server 2016 Cumulative Update 15: KB4536987
  • Microsoft Exchange Server 2019 Cumulative Update 3: KB4536987
  • Microsoft Exchange Server 2019 Cumulative Update 4: KB4536987

So the required security updates are now available since months and can be installed. However, there were issues with the update, as I mentioned in the blog post Exchange Server 2013: Issue with Security Update KB4536988. In the article you can find hints how affected people can get the Exchange Server up and running again. So it's time to patch and secure your Microsoft Exchange Servers.

Cookies helps to fund this blog: Cookie settings

This entry was posted in Security, Software, Update and tagged , , . Bookmark the permalink.

Leave a Reply

Your email address will not be published. Required fields are marked *