A major vulnerability affecting nearly every supported version of Microsoft Exchange Server could allow hackers to remotely execute code on a system.
The flaw, CVE-2020-0688, exists in Microsoft Exchange software when the software fails to properly handle objects in memory, aka 'Microsoft Exchange Memory Corruption Vulnerability'.
According to Simon Zuckerbraun of the Zero Day Initiative, the is found in the Exchange Control Panel (ECP) component.
“The nature of the bug is quite simple. Instead of having randomly-generated keys on a per-installation basis, all installations of Microsoft Exchange Server have the same validationKey and decryptionKey values in web.config. These keys are used to provide security for ViewState. ViewState is server-side data that ASP.NET web applications store in serialised format on the client. The client provides this data back to the server via the __VIEWSTATE request parameter,” he said in a blog post.
He added that Microsoft stated this bug was due to a memory corruption vulnerability and could be exploited by a specially crafted email sent to a vulnerable Exchange server.
“They have since revised their write-up to (correctly) indicate that the vulnerability results from Exchange Server failing to properly create unique cryptographic keys at the time of installation,” said Zuckerbraun.
Due to the use of static keys, an authenticated attacker can trick the server into deserialising maliciously crafted ViewState data. “With the help of YSoSerial.net, an attacker can execute arbitrary .NET code on the server in the context of the Exchange Control Panel web application, which runs as SYSTEM,” he said.
The flaw has had hackers scanning for it in an attempt to take over systems, according to this tweet from Bad Packets Report.
While a patch has been available from Microsoft as part of its Patch Tuesday monthly updates, many organisations have yet to roll the patch out over downtime fears.
Michael Barragry, operations lead at edgescan, told SC Media UK that it is not clear what practical protections can be implemented other than patching.
“The exploit runs in the context of the Exchange Control Panel (ECP) component, so it may be possible to mitigate this by disabling ECP, however this is a core component and would significantly impair the ability to perform administrative functions on the Exchange server itself. This does not appear as a recommended workaround on the official MS advisory,” he said.
“Thankfully, the exploit requires authentication credentials as a pre-requisite, so if strong authentication requirements are in place (strong passwords, 2FA etc) then this can greatly reduce the likelihood that a malicious actor could perform the attack. Unfortunately, the insider threat remains. There is a technical barrier to the attack, but a skilled and determined insider could execute it without any problems. Additional monitoring of the vulnerable servers could be implemented, however since the patch is available now it should be applied immediately.”