Organizations have fallen behind with the patching of a Microsoft Exchange Server vulnerability addressed with Microsoft’s February 2020 Patch Day updates and already targeted in attacks.
The issue, which exists because keys created at installation are not unique, is tracked as CVE-2020-0688 and impacts Microsoft Exchange 2010, 2013, 2016, and 2019. An attacker could abuse it to trick the server into deserializing malicious ViewState data.
Last week, security researchers warned that attacks targeting vulnerable Exchange Servers started ramping up, but the first scans for the vulnerability were observed several weeks back, after researchers with the Zero Day Initiative (ZDI) published additional details on it and on how it can be exploited.
Both US-CERT and the NSA have warned of the existence of this vulnerability, encouraging organizations to apply the available patches as soon as possible.
Exploitation attempts target the Exchange Control Panel (ECP), a component that is on by default, and only requires for the attackers to be in the possession of a single valid credential, regardless of the level of privileges. Such credentials can be easily obtained through various methods.
Thus, with attackers actively targeting the bug and an exploit already added to Rapid7’s Metasploit framework, one would expect organizations to ramp up their patching efforts to ensure they remain protected.
However, Kenna Security reveals that companies are, in fact, very slow in addressing the issue, although it could essentially lead to the compromise of their Active Directory.
Looking at the rate of open vs closed instances of the vulnerability, the security firm observed that remediation efforts are at less than 15% at the moment. Normally, given that over a month has passed since fixes were released, patching should be closer to 50%, Kenna Security says.
Perhaps these servers aren’t directly exposed to the internet. Or maybe users have worked around and disabled ECP. Or perhaps they operate on an email domain that doesn’t have as much exposure to phishing or other credential leaks.
Further investigation revealed that out of 220,000 Internet-facing Outlook Web Access (OWA) servers in BinaryEdge’s Internet-wide scan data, most are 2013, 2016, and 2019 installations.
Based on the underlying installation, the security researchers determined that around three quarters of these servers (74%) are vulnerable, while the remaining quarter (26%) are potentially vulnerable.
Given that exploitation of this vulnerability is rather simple, as is obtaining credentials required for that, the security firm encourages organizations to apply the available patches as soon as possible, or at least block access to ECP.
“In most Microsoft-centric organizations, Exchange is a critical organization service, and thus, may be off-limits for normal monthly patching schedules. This fact, combined with the fact that the vulnerability exposes SYSTEM access on the server, and the fact that exchange stores credentials in memory in plain text, make this an incredibly attractive target,” Kenna Security notes.