Over 80 percent of exposed Exchange servers are still vulnerable to a severe vulnerability – nearly two months after the flaw was patched, and after researchers warned that multiple threat groups were exploiting it.
The vulnerability in question (CVE-2020-0688) exists in the control panel of Exchange, Microsoft’s mail server and calendaring server. The flaw, which stems from the server failing to properly create unique keys at install time, opens servers up to authenticated attackers, who could execute code remotely on them with system privileges.
Researchers recently used Project Sonar, a scanning tool, to analyze internet-facing Exchange servers and sniff out which were vulnerable to the flaw. Out of 433,464 internet-facing Exchange servers observed, at least 357,629 were vulnerable (as of March 24).
“If your organization is using Exchange and you aren’t sure whether it has been updated, we strongly urge you to skip to the Taking Action section immediately,” said Tom Sellers, manager of the Rapid7 Labs team, in a Monday analysis.
While the flaw was fixed as part of Microsoft’s February Patch Tuesday updates, researchers warned in a March advisory that unpatched servers are being exploited in the wild by unnamed advanced persistent threat (APT) actors. Attacks first started late February and targeted “numerous affected organizations,” researchers said. They observed attackers leverage the flaw to run system commands to conduct reconnaissance, deploy webshell backdoors and execute in-memory frameworks post-exploitation.
Brian Gorenc, director of vulnerability research and head of Trend Micro’s ZDI program (which was credited with discovered the flaw) told Threatpost via email that while the vulnerability was labelled “important” in severity by Microsoft, researchers opine it should be treated as “critical.”
“That’s why we worked with Microsoft to get it patched through coordinated disclosure, and it’s why we provided defenders detailed information about it through our blog,” he said. “We felt Exchange administrators should treat this as a Critical patch rather than Important as labelled by Microsoft. We encourage everyone to apply the patch as soon as possible to protect themselves from this vulnerability.”
The patch management issues with Exchange servers extend beyond CVE-2020-0688. Sellers said his investigation revealed that over 31,000 Exchange 2010 servers have not been updated since 2012. And, there are nearly 800 Exchange 2010 servers that have never been updated, he said.
Sellers urged admins to verify that an update has been deployed. He also said users can determine whether anyone has attempted to exploit the vulnerability in their environment: “Since exploitation requires a valid Exchange user account, any account tied to these attempts should be treated as compromised,” Sellers said.
If your org uses Microsoft Exchange I *strongly* recommend you make sure the patch for CVE-2020-0688 (Feb 11) is installed.
Unpatched means phished user = SYSTEM on OWA servers.@Rapid7 Project Sonar found at least 357,629 unpatched hosts.
— Tom Sellers (@TomSellers) April 6, 2020
“The most important step is to determine whether Exchange has been updated,” Sellers said. “The update for CVE-2020-0688 needs to be installed on any server with the Exchange Control Panel (ECP) enabled. This will typically be servers with the Client Access Server (CAS) role, which is where your users would access Outlook Web App (OWA).”
Do you suffer from Password Fatigue? On Wednesday April 8 at 2 p.m. ET join Duo Security and Threatpost as we explore a passwordless future. This FREE webinar maps out a future where modern authentication standards like WebAuthn significantly reduce a dependency on passwords. We’ll also explore how teaming with Microsoft can reduced reliance on passwords. Please register here and dare to ask, “Are passwords overrated?” in this sponsored webinar.