Patching servers and endpoints in an enterprise network can be a bit like painting a boat or weeding a garden: it never really begins or ends, it just is. In that kind of environment, it’s easy enough for one or two fixes to slip through the cracks or get delayed for business continuity or other reasons. Even patches for critical vulnerabilities sometimes aren’t applied right away, a fact that is not lost on attackers.
The fix for a vulnerability in Microsoft Exchange that the company released in February looks to be one of those patches that hasn’t drawn the attention from administrators that it should have. The flaw can lead to remote code execution and is the result of one of the Exchange components using a static cryptographic key for every installation. An attacker who successfully exploits the vulnerability would be able to run code with system privileges and take complete control of the target Exchange server.
“Specifically, the bug is found in the Exchange Control Panel (ECP) component. The nature of the bug is quite simple. Instead of having randomly-generated keys on a per-installation basis, all installations of Microsoft Exchange Server have the same validationKey and decryptionKey values in web.config. These keys are used to provide security for ViewState. ViewState is server-side data that ASP.NET web applications store in serialized format on the client. The client provides this data back to the server via the VIEWSTATErequest parameter,” Simon Zuckerbraun of the Zero Day Initiative said in an explanation of the vulnerability, which a researcher reported to ZDI.
“Due to the use of static keys, an authenticated attacker can trick the server into deserializing maliciously crafted ViewState data.”
In order to exploit the vulnerability, an attacker has to be authenticated to the server, which is certainly a hurdle. But an attacker could gain access to an Exchange user’s credentials in any number of ways, including phishing or finding them in a dump from a data breach.
“It’s post-authentication, but the authentication you need is just an email address and password, which is the easiest thing to get. It’s why people do phishing,” said Tod Beardsley, director of research at Rapid7. “It’s the lowest bar possible for post-auth over the Internet.”
"Running your own Exchange server is its own special kind of hell.”
But despite the seriousness of the vulnerability and the potential consequences of a successful exploit, new data from Rapid7 shows that four months after Microsoft released the patch, more than 350,000 servers are running a version of Exchange that’s vulnerable to this bug (CVE-2020-0688).
“This vulnerability really terrifies us. The sensitive data that is exchanged over email, and the ease with which an attacker can social engineer their way into valid credentials, combined with the limitless impact of owning access to executive mailboxes makes this worthy of a critical priority, drop-everything-else-now patch,” Rapid7 researchers said in their threat report for the first quarter of the year.
“Alas, while we have seen some patching, we have actually seen an additional increase in the total number of vulnerable servers in the data.”
The vulnerability, which affects Exchange 2010, 2013, 2016, and 2019, is the kind that draws keen attention from attackers, thanks to the ubiquity of Exchange and the pay off if they’re able to exploit it.For an attacker, gaining access to a corporate Exchange server is near the top of the to-do list. In many organizations, email carries a huge amount of confidential information and a compromised mail server can be a disaster, especially if the attacker is able to maintain access for a long period of time.
Beardsley said that while the number of unpatched Exchange servers is alarming, it’s not entirely surprising.
“Patching Exchange servers always feels a little dicey. If email goes down, everyone notices immediately, and maybe it’s a machine that hasn’t been rebooted for six months and you don’t know if it’s going to come back once you patch it,” he said.
“If you’re running your own Exchange server still, it’s probably an older installation, since a lot of organizations have moved to Office 365 or Google or something else. Running your own Exchange server is its own special kind of hell.”