Actively exploited MS Exchange flaw present on 80% of exposed servers

Attackers looking to exploit CVE-2020-0688, a critical Microsoft Exchange flaw patched by Microsoft in February 2020, don’t have to look hard to find a server they can attack: according to an internet-wide scan performed by Rapid7 researchers, there are at least 315,000 and possibly as many as 350,000 vulnerable on-premise Exchange servers (out of 433,464 total) out there.

What Rapid7 discovered

The scan also revealed more depressing statistics:

• Over 31,000 Exchange 2010 servers have not been updated since 2012
• Nearly 800 Exchange 2010 servers have never been updated
• There are 10,731 Exchange 2007 servers and over 166,000 Exchange 2010 servers. (The former versions is no longer supported, and the latter will reach that status in October 2020.)

Attackers are looking to exploit CVE-2020-0688

Despite Microsoft releasing patches for CVE-2020-0688 in February 2020, and despite the fact that soon after attackers began probing for vulnerable servers and using freely available PoC exploits and a Metasploit module released in early March to breach them, far too many organizations have yet to implement the patch.

Security updates fixing the flaw have been provided for:

• MS Exchange Server 2010 Service Pack 3 Update Rollup 30
• MS Exchange Server 2013 Cumulative Update 23
• MS Exchange Server 2016 Cumulative Update 14, 15 and 3
• MS Exchange Server 2019 Cumulative Update 4

What makes random exploitation difficult?

The one thing that makes random exploitation of the flaw difficult is that attackers need compromised, valid email credentials to access the server before attempting to exploit CVE-2020-0688. But motivated, well-resourced attackers who are looking to breach a specific organization will, no doubt, find a way to get their hands on the required credentials.

Still, the fact that there is such a huge number of outdated and unpatched MS Exchange mail servers out there doesn’t bode well.

“Email is one of, if not the most, sensitive and important systems upon which organizations of all shapes and sizes rely. The are, by virtue of their function, inherently exposed to the Internet, meaning they are within the range of every targeted or opportunistic intruder, worldwide. In this particular case, unpatched servers are also vulnerable to any actor who can download and update Metasploit, which is virtually 100% of them,” noted Richard Bejtlich, Principal Security Strategist at Corelight.

“It is the height of negligence to run such an important system in an unpatched state, when there are much better alternatives – namely, outsourcing your email to a competent provider, like Google, Microsoft, or several others. The bottom line is that unless your organization is willing to commit the resources, attention, and expertise to maintaining a properly configured and patched email system, you should outsource it. Otherwise you are being negligent with not only your organization’s information, but the information of anyone with whom you exchange emails.”

Check out Rapid7’s blog post for instructions on how to find out whether your MS Echange servers need patching and how to check whether they’ve already been compromised through CVE-2020-0688.