350,000 organizations remain vulnerable to Microsoft Exchange flaw


CVE-2020-0688 was patched by Microsoft, yet companies are still not updating Microsoft Exchange

Companies vulnerable to Microsoft Exchange flaw

Companies vulnerable to Microsoft Exchange flaw

Security firm Rapid7 has uncovered that more than 350,000 Microsoft Exchange servers remain open to security vulnerability within its servers.[1] Despite that Microsoft shipped a patch in its Patch Tuesday on February 11 and urged admins to apply it without further delays, Microsoft Exchange CVE-2020-0688[2] remote code execution vulnerability is still a threat to thousands of companies worldwide, as no patches were yet applied.

Rapid7 researchers explained that in case the vulnerability is exploited, it can result in a full system compromise:

In many implementations, this could be used to completely compromise the entire Exchange environment (including all email) and potentially all of Active Directory. 

Security firm used Project Sonar to scan the internet for vulnerable Microsoft Exchange servers and found that 357,629 (82.5%) out of 433,464 scanned remain susceptible to CVE-2020-0688. While the number might not be completely precise due to possibly inaccurate version determination during an unauthenticated check, these numbers till are a cause of concern.

State-sponsored hackers abusing the flaw

While software vulnerabilities are not uncommon, they are typically detected sooner or later with the help of such resources as bounties and patched by the developer. Unfortunately, applying patches still seems to be not a regular habit not only by home users but for companies that hold sensitive information on their servers. It most likely all comes down to cybersecurity costs, although in case of a cyberattack, firms have to payout millions in recovery costs as well as potential compensations for customers if their data was affected.[3] Not to mention the destroyed reputation and lost trust, which is so hard to recover from.

The first attempts of CVE-2020-0688 usage were spotted back in February. A UK security company Volexity[4], also uncovered that state-sponsored hacking groups are particularly interested in the flaw, and are actively abusing it. While the security company did not reveal which APT attacks and from which countries are involved, it claimed that it is “all the big players.”[5]

Immense threat to enterprises – patch Microsoft Exchange flaw now

Project Sonar helped Rapid7 does not only determine the number of servers that are vulnerable to CVE-2020-0688 but also other interesting details:

  • a large number of Exchange 2007 servers still in operation, despite its support being seized in 2017 (ironically, CVE-2020-0688 flaw is not applicable to Exchange 2007)
  • 166,000 servers still running Exchange 2010, which will reach the end of support in October 2020
  • 31,000 2010 servers have not been patched since 2012
  • 800 Exchange 2010 servers have never been updated.

In security update details, Microsoft explained the vulnerability as follows:[6]

A remote code execution vulnerability exists in Microsoft Exchange Server when the server fails to properly create unique keys at install time.

Knowledge of a the validation key allows an authenticated user with a mailbox to pass arbitrary objects to be deserialized by the web application, which runs as SYSTEM.

The security update addresses the vulnerability by correcting how Microsoft Exchange creates the keys during install.

To mitigate the vulnerability, Rapid7 researchers urge all enterprises to immediately patch their Microsoft Exchange servers to stop the intrusion of APT groups. The begin with, IT teams should verify if the patch has been correctly applied (ensuring that the Exchange Control Panel (ECP) was enabled during the process) and also using vulnerability management tools, patch management software, and checking the hosts themselves.

However, patching the vulnerability might not just be enough, as researchers said – traces of attempted exploitation should also be detected. According to them, each of the credentials used in attempted exploitation of an email account should be considered as compromised.