Attackers probing for vulnerable Microsoft Exchange Servers, is yours one of them?

CVE-2020-0688, a remote code execution bug in Microsoft Exchange Server that has been squashed by Microsoft in early February, is ripe for exploitation and could become a vector for ransomware groups in coming months, warns cybersecurity researcher Kevin Beaumont.

CVE-2020-0688 exploitation

Organizations running on-premise Exchange – any supported version (2010, 2013, 2016, 2019) up until the recent patch – would do well to patch as soon as possible, as scanning for vulnerable internet-facing servers has already begun.

CVE-2020-0688 exploitation

CVE-2020-0688, initially classified by Microsoft as a memory corruption vulnerability turned out to be caused by Exchange Server failing to properly create unique cryptographic keys at the time of installation.

More technical details and a demonstration of CVE-2020-0688 exploitation have been published on Tuesday by Trend Micro’s Zero Day Initiative, which served as an intermediary between Microsoft and the anonymous researcher who discovered it.

ZDI security researcher Simon Zuckerbraun reiterated their initial position that the flaw should be rated as Critical.

“Microsoft rated this as Important in severity, likely because an attacker must first authenticate. It should be noted, however, that within an enterprise, most any user would be allowed to authenticate to the Exchange server,” he explained.

“Similarly, any outside attacker who compromised the device or credentials of any enterprise user would be able to proceed to take over the Exchange server. Having accomplished this, an attacker would be positioned to divulge or falsify corporate email communications at will.”

Having SYSTEM access to an Exchange Server and running Mimikatz could also give attackers access to plain-text user passwords, Beaumont noted.

Patch ASAP!

As noted before, the probing for vulnerable servers has already begun (some of it possibly by security researchers):

No mitigations or workarounds exist for this flaw, so Exchange Server administrators should deploy the patch as soon as their testing is complete.

“Microsoft lists this with an Exploit Index of 1, which means they expect to see exploits within 30 days of the patch release. As demonstrated, that certainly seems likely,” Zuckerbraun concluded.

UPDATE (February 29, 2020, 1:35 a.m. PT): TrustedSec published a quality write-up about how to detect exploitation of the flaw.

Don't miss