Over half of exposed Exchange servers are still vulnerable to a severe bug that allows authenticated attackers to execute code remotely with system privileges, even 8 months after Microsoft issued a fix.
Despite Microsoft issuing patches almost 8 months ago, 61% of Exchange servers are still vulnerable.
Unique Keys
The vulnerability (CVE-2020-0688) exists in the control panel of Exchange, Microsoft’s mail server & calendaring server.
The flaw, which stems from the server failing to properly create unique keys at install time, was fixed as part of Microsoft’s Feb. Patch Tuesday updates, & admins in March were warned that unpatched servers are being exploited in the wild by unnamed Advanced Persistent Threat (APT) actors.
Telemetry
However, new telemetry found that out of 433,464 internet-facing Exchange servers observed, at least 61% of Exchange 2010, 2013, 2016 & 2019 servers are still vulnerable to the flaw.
“There are 2 important efforts that Exchange administrators & infosec teams need to undertake: verifying deployment of the update & checking for signs of compromise,” observed Tom Sellers with Rapid7 in a Tues. analysis.
March Advisory
Researchers warned in a March advisory that unpatched servers are being exploited in the wild by unnamed APT players. Attacks first started in late Feb. & targeted “numerous affected organizations,” researchers commented.
They noticed attackers using the flaw to run system commands to conduct reconnaissance, deploy webshell backdoors & execute in-memory frameworks, post-exploitation.
Previously, in April, Rapid7 researchers found that more than 80% of servers were vulnerable; out of 433,464 internet-facing Exchange servers observed, at least 357,629 were open to the flaw (as of Mar. 24). Researchers used Project Sonar, a scanning tool, to analyse internet-facing Exchange servers & find out which were vulnerable.
Update
Sellers asked admins to verify that an update has been installed. The best method to do so is by checking patch-management software, vulnerability-management tools, or the hosts themselves to discover whether the appropriate update has been installed, he commented.
“The update for CVE-2020-0688 needs to be installed on any server with the Exchange Control Panel (ECP) enabled,” he remarked.
“This will typically be servers with the Client Access Server (CAS) role, which is where your users would access the Outlook Web App (OWA).”
With the activity, admins should also find out whether anyone has tried to exploit the vulnerability.
Exploit Code
The exploit code that Sellers tested left log artifacts in the Windows Event Log & the IIS logs (which contain HTTP server API kernel-mode cache hits) on both patched & unpatched servers: “This log entry will include the compromised user account, as well as a very long error message that includes the text invalid viewstate,” he suggested.
IIS Logs
Admins can also review their IIS logs for requests to a path under /ecp (usually /ecp/default.aspx), Sellers said, These should contain the string __VIEWSTATE and __VIEWSTATEGENERATOR – & will have a long string in the middle of the request that is a portion of the exploit payload.
“You will see the username of the compromised account name at the end of the log entry,” he said. “A quick review of the log entries just prior to the exploit attempt should show successful requests (HTTP code 200) to web pages under /owa & then under /ecp.”
https://www.cybernewsgroup.co.uk/virtual-conference-november-2020/