Update March 2021: This post relates to issues found in March 2020. A new, more serious set of security issues have been found in March 2021. See Tony Redmond’s post on the topic for more information and then join our live panel discussion on protecting Exchange Server from #HAFNIUM attacks on March 12.
If you haven’t already done so, this week you should be applying patches to your Exchange Servers. A reasonably easy to exploit vulnerability has been disclosed by Microsoft as CVE-2020-0688.
Sigi and I talked about this in this week’s episode of The Practical 365 podcast, but this is important enough to write about separately in case you missed the show.
The TL:DR version of this is – anyone with the username and password for a mailbox on your Exchange Server and access to the /ecp directory can execute code as the SYSTEM account on the server itself.
The proof-of-concept exploits show this can be achieved by sending it an easily crafted URL using freely obtained open source tools.
This vulnerability is due to Microsoft using the same set of cryptographic keys on every Exchange Server installation. The keys being stored in plain text in a web.config file on every server.
The bad news is that although it has taken nearly ten years for this to be noticed, now it has, would be attackers are acting quickly. Security researchers are already seeing scans for public-facing Exchange servers to obtain build version information. If you publish OWA and ECP externally the next step by these malicious people will be to attempt to gain a set of working credentials to access Exchange. There are already tools available to use social networks like LinkedIn to harvest email addresses and of course tools to automate login attempts.
Make no mistake – if you publish Exchange externally and don’t patch, it’s only a matter of time until this is exploited.
Even if you don’t publish Exchange externally, you should consider this a threat. Not all staff follow the rules and it’s possible an insider within your organization may use this opportunity to take advantage of the rights an Exchange computer account has. The amount of damage someone could do easily shouldn’t be understated.
Simon Zuckerbraun, of the Zero Day Initiative, has produced a comprehensive write-up on their blog that provides a vast amount of detail about the vulnerability including a walk-through on how to exploit it. It makes for worrying reading – all an attacker needs is a compiled version of ysoserial.net, the validation key from either his article – or any Exchange Server– and then by crafting a URL GET request to /ecp/default.aspx they can do as they wish. If that hasn’t worried you yet, read the article now.
Getting patches for Exchange
Patches are available for all support versions of Exchange Server – from 2010 through to 2019 and all are affected.
The update comes in the form of an Update Rollup, UR30, for Exchange 2010, and security updates for the latest Cumulative Updates for Exchange 2013, 2016 and 2019. If you aren’t running the latest CUs for Exchange 2013 or higher, then you will need to get current as well as subsequently applying the patch.
You can find links to the patches on the Microsoft Security Response Center page for CVE-2020-0688.