80% of all exposed Exchange servers still unpatched for critical flaw

Posted by & filed under Security Alerts.

Over 350,000 of all Microsoft Exchange servers currently exposed on the Internet haven’t yet been patched against the CVE-2020-0688 post-auth remote code execution vulnerability affecting all supported Microsoft Exchange Server versions.

This security flaw is present in the Exchange Control Panel (ECP) component —on by default— and it allows attackers to take over vulnerable Microsoft Exchange servers using any previously stolen valid email credentials.

Microsoft patched this RCE bug on the February 2020 Patch Tuesday and tagged it with an “Exploitation More Likely” exploitability index assessment, hinting at the vulnerability being an attractive target for attackers.

Cyber-security firm Rapid7, the one behind the Metasploit penetration testing framework, added a new MS Exchange RCE module to the pen-testing tool on March 4, following multiple proof-of-concept exploits having surfaced on GitHub.

Both the NSA and CISA later issued warnings that urged organizations to patch CVE-2020-0688 as soon as possible seeing that multiple APT groups have already started exploiting it in the wild.

82.5% of all found Exchange servers not yet patched

Starting March 24, Rapid7 used its Project Sonar internet-wide survey tool to discover all publicly-facing Exchange servers on the Internet and the numbers are grim.

As they found, “at least 357,629 (82.5%) of the 433,464 Exchange servers” are still vulnerable to attacks that would exploit the CVE-2020-0688 vulnerability.

To make matters even worse, some of the servers that were tagged by Rapid7 as being safe against attacks might still be vulnerable given that “the related Microsoft update wasn’t always updating the build number.”

Furthermore, “there are over 31,000 Exchange 2010 servers that have not been updated since 2012,” as the Rapid7 researchers observed. “There are nearly 800 Exchange 2010 servers that have never been updated.”

They also found 10,731 Exchange 2007 servers and more than 166,321 Exchange 2010 ones, with the former already running End of Support (EoS) software that hasn’t received any security updates since 2017 and the latter reaching EoS in October 2020.

Rapid7’s results line up with a report from Kenna Security from March 13 saying that only 15% of all Exchange servers they found were patched for CVE-2020-0688 until March 11.

Patch against CVE-2020-0688 ASAP

“There are two important efforts that Exchange Administrators and infosec teams need to undertake: verifying deployment of the update and checking for signs of compromise,” Rapid7 Labs senior manager Tom Sellers further explained.

User accounts compromised and used in attacks against Exchange servers can be discovered by checking Windows Event and IIS logs for portions of encoded payloads including either the “Invalid viewstate” text or the __VIEWSTATE and __VIEWSTATEGENERATOR string for requests to a path under /ecp.

Since Microsoft says that there are no mitigating factors for this vulnerability, the only choice left, as Rapid7 also advises, is to patch your servers before hackers find them and fully compromise your entire network  — unless you’re willing to reset all user accounts’ passwords to render previously stolen credentials useless.

Download links to security updates for vulnerable Microsoft Exchange Server versions needed to deploy the update and related KB articles are available in the table below:

Product Article Download
Microsoft Exchange Server 2010 Service Pack 3 Update Rollup 30 4536989 Security Update
Microsoft Exchange Server 2013 Cumulative Update 23 4536988 Security Update
Microsoft Exchange Server 2016 Cumulative Update 14 4536987 Security Update
Microsoft Exchange Server 2016 Cumulative Update 15 4536987 Security Update
Microsoft Exchange Server 2019 Cumulative Update 3 4536987 Security Update
Microsoft Exchange Server 2019 Cumulative Update 4 4536987 Security Update

 

The information contained in this website is for general information purposes only. The information is gathered from Bleeping Computer, while we endeavour to keep the information up to date and correct, we make no representations or warranties of any kind, express or implied, about the completeness, accuracy, reliability, suitability or availability with respect to the website or the information, products, services, or related graphics contained on the website for any purpose. Any reliance you place on such information is therefore strictly at your own risk.  Through this website, you are able to link to other websites which are not under the control of CSIRT-CY. We have no control over the nature, content and availability of those sites. The inclusion of any links does not necessarily imply a recommendation or endorse the views expressed within them. Every effort is made to keep the website up and running smoothly. However, CSIRT-CY takes no responsibility for, and will not be liable for, the website being temporarily unavailable due to technical issues beyond our control.