[German]Just a brief note to administrators of Microsoft Exchange servers: Did you patch them against the CVE-2020-0688 remote execution vulnerability? German CERT-Bund has been warning for weeks that numerous German Exchange servers accessible via the Internet are still vulnerable. I guess other countries shows a similar picture.
Advertising
Warning from CERT-Bund about CVE-2020-0688
CERT-Bund complains on Twitter every day about unpatched Exchange servers in Germany. Here are the tweets. 6 weeks ago, German CERT-Bund started a campaign in which daily reports were sent to German network operators/providers. They were informed about vulnerable Microsoft Exchange servers that were accessible via the Internet and had the critical vulnerability CVE-2020-0688.
German CERT-Bund warns about Exchange vulnerability CVE-2020-0688
The tweet above says: Even six weeks later, over half of these Internet-accessible Exchange servers in Germany are still unpatched. Just to mentions: The majority of these vulnerable machines are running Exchange 2010 installations. This version was dropped from support in October 2020. In another tweet (lower graphic) CERT-Bund shows the distribution over individual providers. This suggests that some providers inform their customers, while other providers let the CERT-Bund messages trickle out. So check the Exchange server installations you are responsible for, whether they are patched or not.
Background on the vulnerability CVE-2020-0688
I had already reported this problem in the 2018 blog post Vulnerability in Exchange Server 2010-2019. A vulnerability CVE-2020-0688 exists in Exchange from version 2010 to 2019. An exploit for this vulnerability has been known since January 2020 and updates to close the vulnerability have been available since February 11, 2020.
The vulnerability CVE-2020-0688 is a Microsoft Exchange Validation Key Remote Code Execution vulnerability described in this Microsoft document dated February 11, 2020. The vulnerability that could be exploited to remote code execution is in Microsoft Exchange Server if the server is unable to create unique (cryptographic) keys during installation.
Advertising
Knowledge of a validation key allows an authenticated user with a mailbox to pass arbitrary objects to be deserialized by the Web application running as SYSTEM. Simon Zuckerbraun from the Zero Day Initiative has published this blog post on February 25, 2020 with some explanations. Tenable also has this post on the topic. Here are the available updates classified as important:
- Microsoft Exchange Server 2010 Service Pack 3 Update Rollup 30: KB4536989
- Microsoft Exchange Server 2013 Cumulative Update 23: KB4536988
- Microsoft Exchange Server 2016 Cumulative Update 14: KB4536987
- Microsoft Exchange Server 2016 Cumulative Update 15: KB4536987
- Microsoft Exchange Server 2019 Cumulative Update 3: KB4536987
- Microsoft Exchange Server 2019 Cumulative Update 4: KB4536987
So the required security updates are now available and can be installed. However, there were issues with the update, as I mentioned in the article Exchange Server 2013: Issue with Security Update KB4536988. In the article you can find hints how affected people can get the Exchange Server up and running again.
Similar articles:
Vulnerability in Exchange Server 2010-2019.
Security information (Feb. 25, 2020)
Exchange Server: Terrible Patch Status; v2010 reaches EOL
Attack to unpatched Exchange Servers (CVE-2020-0688)
Exchange Server: 80% not patched against CVE-2020-0688
Exchange Server 2013: Issue with Security Update KB4536988
