Critical Flaw Still Impacting 82% of Public-Facing Exchange Servers

On February Patch Tuesday, 2020, Microsoft made available a patch for a critical flaw the impacts Microsoft Exchange Servers which could possibly be targeted by hackers to take full control of a vulnerable system. Despite Microsoft warning that the flaw would be attractive to hackers, patching has not been a quick process.

An analysis carried out by cybersecurity company Rapid7 revealed more than 82% of public-facing Exchange servers remained vulnerable and have yet to be patched. The firm’s scan identified 433,464 public-facing Exchange servers, and at least 357,629 were vulnerable to an attack targeting the CVE-2020-0688 vulnerability.

Exchange administrators may not have prioritized the patch as the flaw is a post-authorization flaw; however, attacks could take place using any stolen email details or by using brute force tactics to guess weak passwords.

Several proof-of-concept exploits for the flaw have been released via GitHub, and there have been reports of nation state Advanced Persistent Threat groups attempting to target the flaw using brute force tactics to obtain credentials and credentials stolen in earlier data breaches.

If the flaw is exploited, hackers would be able to obtain access to Exchange Servers and compromise the entire Exchange environment. That would permit them to obtain all email communications, create new email accounts, falsify messages, and remotely operate code on compromised servers with SYSTEM privileges.

Microsoft previously said there are no mitigations or workarounds that can be put in place to prevent exploitation. The only way to prevent the flaw from being targeted is to ensure the patch is applied on all susceptible servers.

Since attacks are known to have already taken place, along with applying the patch, administrators should also investigate to see whether attacks have already been conducted and have been successful.

Rapid7 recommends Exchange administrators should review Windows Event and IIS logs for signs of compromise. Any email accounts that have been infiltrated and used in attacks on Exchange servers will leave evidence of the exploit code in log files.

Rapid7 explained: “The exploit attempts show up in the Windows Application event log with source MSExchange Control Panel, level Error, and event ID 4. This log entry will include the compromised user account as well as a very long error message that includes the text Invalid viewstate. What you are seeing is portions of the encoded payload. You can also review your IIS logs for requests to a path under /ecp (usually /ecp/default.aspx), which contain the string __VIEWSTATE and __VIEWSTATEGENERATOR.”

Along with discovering a worrying number of Exchange servers susceptible to the CVE-2020-0688 vulnerability, the experts also found an alarming number of Exchange servers were missing several updates for other critical vulnerabilities. The experts discovered 31,000 Exchange servers that had not received an update since 2012 and 800 Exchange servers that had never had patches applied.

Microsoft will be ending support for Exchange 2010 in October 2020 so it is vital that the 166,000 public-facing Exchange servers still running Exchange 2010 are updated as soon as possible.