A vulnerability discovered in Microsoft Exchange could impact your business’s email accounts, and potentially entire networks. In February of 2020, Microsoft released several security updates to address a vulnerability discovered in the Microsoft Exchange Server (CVE-2020-0688). While a patch has been issued, several Exchange accounts have not been updated and are still at risk.
How it Works
With this vulnerability, CVE-2020-0688, the Exchange server fails to create unique keys during installation. With this, attackers can then utilize this key to deserialize certain information or pass commands.
Serialization: the process of converting an object into a stream of bytes to store the object or transmit it to memory, a database, or a file. Its main purpose is to save the state of an object in order to be able to recreate it when needed.
Deserialization: the reverse process of Serialization; taking the raw data and reconstructing the object model.
In short, this vulnerability would allow a hacker to compromise an entire Exchange environment. This could affect all email and potentially all Active Directory, depending on how the server was implemented. This could also leave businesses the target for APT (Advanced Persistent Threats) attackers who can use the vulnerability to read a company's email store.
The vulnerability that was discovered, and is now being addressed by Microsoft, is more than just a threat. There have been exploitations of this vulnerability discovered. In fact, a Rapid7 scan of the internet in early April found that more than 350,000 Exchange servers were still vulnerable after the patch was released.
Researchers with Kenna Security ran analyses of their own and discovered that of 22,000 internet-facing Outlook Web Access servers, 74% were vulnerable and 26% were potentially vulnerable two months after Microsoft released a patch to address these concerns.
Take Action Now
With Exchange environments being so high in value, security experts are afraid this vulnerability will become a favorite for ransomware attacks. That is why it is important to address the potential risk now. Here are the steps you can take to help reduce risk from CVE-2020-0688.
1. Check your systems to make sure everything has been updated. The patch from Microsoft needs to be installed on any server with the Exchange Control Panel (ECP) enabled.
2. Exchange servers must be running one of the Cumulative Updates listed in the Microsoft Advisory in order for the update to be installed.
CVE-2020-0688 | Microsoft Exchange Validation Key Remote Code Execution Vulnerability
3. Determine whether anyone has attempted exploiting CVE-2020-0688 in your environment. Any account tied to an attempt should be treated as compromised.
If you have not already, it is advised that everyone install the Microsoft patch immediately. If you cannot install the patch, be sure to at least block access to ECP. If you are unsure if your company has been compromised, please reach out to a Pratum cybersecurity expert today.