Over 350,000 Microsoft Exchange Servers Vulnerable to CVE-2020-0688





Backups and patches that patch security holes have been one of the most problematic issues in the IT field for many years. And if things are better with backups (although the anecdote about sysadmins who do not make or already make backups will be relevant for a long time), then everything is sad with security. The story with Garmin is another confirmation of this.



Residual funding, hopes for "chance" and other factors lead to regular leaks and hacks. But things are still there. Cloud4Y has more than once shared funny stories about security leaks and hacks . And here's another story that only confirms the inertia of companies in such a seemingly important issue as data security.




What is the problem



Back in February 2020, Microsoft patched the CVE-2020-0688 vulnerability affecting Microsoft Exchange servers. This security vulnerability is present in the Exchange Control Panel (ECP) component and allows attackers to hijack vulnerable Microsoft Exchange servers using any previously stolen valid email credentials. To emphasize the importance of the issue, the company added the Exploitation More Likely vulnerability flag โ€œExploitation is highly likely,โ€ hinting that the vulnerability is an attractive target for attackers.



A dangerous bug is related to the work of the ECP component. Exchange cannot create unique cryptographic keys during installation, which gives attackers who pass the authentication stage the ability to remotely execute arbitrary code with SYSTEM privileges and completely compromise the vulnerable server.



The authentication stage itself, by the way, is also not a problem. Attackers can go through it using tools to collect information about company employees through LinkedIn. And then use the collected information, coupled with credential stuffing, against Outlook Web Access (OWA) and ECP.



In February, security experts warned that they were actively scanning the network for vulnerable Microsoft Exchange servers. To carry out the attack, all they had to do was locate vulnerable servers, find email addresses that could be mined via the OWA web client URL, or collect data from previous leaks. If an attacker was able to navigate to the Exchange server, they could divulge or spoof corporate email messages.



Two western information security agencies NSA and CISA also issued warnings calling for the prompt installation of the CVE-2020-0688 patch, citing cases of exploitation of this vulnerability by groups of hackers.



Got boiled and forgot



But, as often happens, not only everyone paid attention to the hype (c). Most companies ignored the threat. A couple of months later, cybersecurity companies Rapid7 used their Project Sonar web tool to discover all the public Exchange servers on the Internet. And the results were very sad.



They found that at least 357,629 (82.5%) of the 433,464 Exchange servers are still open to attacks that exploit the CVE-2020-0688 vulnerability.



Some of the servers that Rapid7 marked as attack-proof may still be vulnerable because the Microsoft patch did not update all OS builds. But that's not all. Researchers found nearly 11,000 servers running Microsoft Exchange 2007 using End of Support (EoS) software, which ended support in 2017, and 166,000 servers running Microsoft Exchange 2010, which will end support in October 2020. The icing on the cake was the information that almost 31 thousand Microsoft Exchange 2010 servers are connected to the Internet, which have not been updated since 2012, and 800 of them have never been updated.







We will decide later who is to blame. What to do?



In an amicable way, it is necessary not only to install patches, but to determine whether the attackers tried to exploit the vulnerability. Since attackers must take control of at least one account to do this, any account associated with an attempted exploitation must be considered hacked.



Compromised user accounts that were used to attack Exchange servers can be detected by checking the Windows and IIS event logs for pieces of encoded payload, including the text "Invalid viewstate" or the string "__VIEWSTATE" and "__VIEWSTATEGENERATOR" in query requests in the path in the / ecp directory.



The only way out that should be seen as meaningful is to install patches on your servers before hackers find them and completely compromise your entire network. Otherwise, it may be necessary to change all stolen user accounts and passwords.



Download links for security updates for affected versions of Microsoft Exchange Server and related Knowledge Base articles are available in the table below:



MS Exchange version Article Patch
Microsoft Exchange Server 2010 Service Pack 3 Update Rollup 30 4536989 Security Update
Microsoft Exchange Server 2013 Cumulative Update 23 4536988 Security Update
Microsoft Exchange Server 2016 Cumulative Update 14 4536987 Security Update
Microsoft Exchange Server 2016 Cumulative Update 15 4536987 Security Update
Microsoft Exchange Server 2019 Cumulative Update 3 4536987 Security Update
Microsoft Exchange Server 2019 Cumulative Update 4 4536987 Security Update


Don't forget about safety. The lack of protection a few months after the release of the patch is extremely sad.



What else useful can you read in the Cloud4Y blog



โ†’ Artificial intelligence sings about revolution

โ†’ What is the geometry of the Universe?

โ†’ Do we need clouds in space

โ†’ Easter eggs on topographic maps of Switzerland

โ†’ Winners of the startup competition The Europas Awards 2020



Subscribe to our Telegram channel so as not to miss another article. We write no more than twice a week and only on business. By the way, we recently held a webinar on calculating TCO for IT projects, where we answered pressing questions. If you're interested - wellcome!



All Articles