{"id":16793,"date":"2020-11-18T00:10:00","date_gmt":"2020-11-17T23:10:00","guid":{"rendered":"http:\/\/159.69.82.204\/win\/?p=16793"},"modified":"2022-01-12T08:19:31","modified_gmt":"2022-01-12T07:19:31","slug":"weiter-ungepatchte-exchange-server-in-deutschland-nov-2020","status":"publish","type":"post","link":"https:\/\/borncity.com\/win\/2020\/11\/18\/weiter-ungepatchte-exchange-server-in-deutschland-nov-2020\/","title":{"rendered":"Still Exchange servers unpatched for CVE-2020-0688 (Nov. 2020)"},"content":{"rendered":"

[German<\/a>]Just a brief note to administrators of Microsoft Exchange servers: Did you patch them against the CVE-2020-0688 remote execution vulnerability? German CERT-Bund has been warning for weeks that numerous German Exchange servers accessible via the Internet are still vulnerable. I guess other countries shows a similar picture. <\/p>\n

<\/p>\n

Warning from CERT-Bund about CVE-2020-0688 <\/h2>\n

\"\"CERT-Bund complains on Twitter every day about unpatched Exchange servers in Germany. Here are the tweets<\/a>. 6 weeks ago, German CERT-Bund started a campaign in which daily reports were sent to German network operators\/providers. They were informed about vulnerable Microsoft Exchange servers that were accessible via the Internet and had the critical vulnerability CVE-2020-0688.<\/p>\n

\"CERT-Bund-Warnung
German CERT-Bund warns about Exchange vulnerability CVE-2020-0688  <\/p>\n

The tweet above says: Even six weeks later, over half of these Internet-accessible Exchange servers in Germany are still unpatched. Just to mentions: The majority of these vulnerable machines are running Exchange 2010 installations. This version was dropped from support in October 2020. In another tweet (lower graphic) CERT-Bund shows the distribution over individual providers. This suggests that some providers inform their customers, while other providers let the CERT-Bund messages trickle out. So check the Exchange server installations you are responsible for, whether they are patched or not. <\/p>\n

Background on the vulnerability CVE-2020-0688 <\/h2>\n

I had already reported this problem in the 2018 blog post Vulnerability in Exchange Server 2010-2019<\/a>. A vulnerability CVE-2020-0688 exists in Exchange from version 2010 to 2019. An exploit for this vulnerability has been known since January 2020 and updates to close the vulnerability have been available since February 11, 2020. <\/p>\n

The vulnerability CVE-2020-0688 is a Microsoft Exchange Validation Key Remote Code Execution vulnerability described in this Microsoft document<\/a> dated February 11, 2020. The vulnerability that could be exploited to remote code execution is in Microsoft Exchange Server if the server is unable to create unique (cryptographic) keys during installation. <\/p>\n

Knowledge of a validation key allows an authenticated user with a mailbox to pass arbitrary objects to be deserialized by the Web application running as SYSTEM. Simon Zuckerbraun from the Zero Day Initiative has published this blog post on February 25, 2020 with some explanations. Tenable also has this post<\/a> on the topic. Here are the available updates classified as important: <\/p>\n