More than 80% of the world’s Microsoft Exchange Server deployments do not have a security patch installed, despite it being released in February 2020. Discover why it is important for businesses to make sure this patch is installed on their Exchange servers.
A patch that fixes a security vulnerability that’s currently being exploited by hackers has not been installed in more than 80% of the world’s public-facing Microsoft Exchange Server deployments, according to a Rapid7 Labs report. Microsoft released the patch on February 11, 2020, to fix a remote code execution vulnerability (CVE-2020-0688) found in all Exchange Server versions that are currently supported (i.e., Exchange Server 2010 and later).
Here’s a look at the CVE-2020-0688 vulnerability, how it is exploited, and why businesses should patch it immediately.
The security vulnerability that exists in all unpatched Exchange servers lies in the Exchange Control Panel (ECP) component. When Exchange Server is installed, it is supposed to randomly generate unique cryptographic keys (validationKey and decryptionKey), which are used in ECP backend operations. This has not been occurring due to the CVE-2020-0688 flaw. As a result, every instance of Exchange Server that has been installed in the last decade has the same ECP cryptographic keys. Because cybercriminals know the ECP cryptographic keys, they are able to trick Exchange servers into executing malicious commands with system privileges.
How the Vulnerability Is Exploited
To exploit the vulnerability, hackers first need to find a vulnerable public-facing Exchange server on which the CVE-2020-0688 patch has not been installed. The server also needs to have a public-facing ECP web app (Exchange Server 2010) or Exchange Admin Center (EAC) web app (Exchange Server 2013, 2016, and 2019). Cybercriminals find these targets by scanning the Internet.
After they find a vulnerable Exchange server, the cybercriminals need to obtain valid account credentials that will enable them to log in to it. The account does not need to have any special permissions — it can be a user’s email account, for example. Hackers can use several tactics to obtain user account credentials, including sending phishing emails to company employees.
Once hackers are authenticated on the vulnerable Exchange server, they use several tricks to elevate permissions and get some server information they need to be able to remotely execute system commands on the machine. For example, Volexity researchers found instances where hackers ran commands that allowed them to conduct reconnaissance and create backdoors. However, cybercriminals could potentially do much more damage. They could take over an entire Exchange environment as well as Active Directory, according to a Rapid7 Labs researcher.
Patch Now Instead of Later
Microsoft gave the CVE-2020-0688 vulnerability a severity rating of “Important”, which indicates that businesses should patch their Exchange servers at the earliest opportunity. However, some security experts believe that the vulnerability should have been given the highest rating of “Critical” so that companies patch it immediately.
“Microsoft rated this as ‘Important’ in severity likely because an attacker must first authenticate,” said a Trend Micro security expert. However, he feels it should be treated as a “Critical” vulnerability instead. “Any outside attacker who compromised the device or credentials of any enterprise user would be able to proceed to take over the Exchange server. Having accomplished this, an attacker would be positioned to divulge or falsify corporate email communications at will.”
The vulnerability could also be exploited and used to launch other types of assaults, such as ransomware attacks and advanced persistent threats (APTs). “Motivated attackers now have a way to compromise a critical piece of the IT infrastructure if it is not updated,” warned Volexity researchers. “If you have not already, apply these security updates immediately and look for signs of compromise.”
If your company is using Exchange Server, we can make sure the CVE-2020-0688 patch and other important security updates have been installed on it.