Threat Response – Vulnerability in Exchange Server

8-09-2020

On Tuesday 8 September, Microsoft has reported a vulnerability affecting Exchange Server [1]. The vulnerability, registered as CVE-2020-16875 (CVSS 3.0 score: 9.1), can potentially lead to execution of arbitrary code by a remote attacker. In this message, we want to inform you about the threat, and how it can be mitigated.

Description

Microsoft has announced a vulnerability that can be remotely exploited by an unauthenticated user. In order to exploit the vulnerability, an attacker must send a specifically crafted email message to the vulnerable server. No user interaction is required for the exploit to be effective. Details on the content of the message have not yet been published.

The following versions are affected:

  • Exchange Server 2016
  • Exchange Server 2019

Note that this vulnerability only affects on premises Exchange Servers. Exchange Online is not affected.

Impact

A successful attack can lead to the execution of arbitrary code as the “System” user with administrative rights on the affected server. From there on, an attacker may be able to plan a subsequent attack affecting the internal network. We estimate the potential impact of an exploitation of the vulnerability to be high.

Risk

No public/active exploit code is available at this moment. However, an update fixing the flawed code has been made available, meaning that the details of the vulnerability may be uncovered within a short time. Using these details, exploit code may be crafted. For this reason, we estimate the risk of this vulnerability to be high.

Mitigation

Microsoft has published an update that fixes the vulnerability for Exchange Server 2016 and 2019 [2]. We highly recommend installing these updates as soon as possible. Please follow the steps described by Microsoft for this update process.

This update is part of “Patch Tuesday”. We recommend to install all other available updates that have become available for Microsoft products as well.

Northwave will monitor any developments regarding this vulnerability. If new critical information about this threat arises, we will reach out to you. If you need additional information you can call us by phone or send us an email.

Phone number: +31 (0)30-303 1244 (during business hours)
E-mail: [email protected]
Do you have an incident right now? Call our CERT number: +31 (0)85-0437 909 or 0800-1744 (alleen vanuit Nederland)

Disclaimer applies, see below.

Sources

[1]: https://portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2020-16875

[2]: https://support.microsoft.com/ca-es/help/4577352/security-update-for-exchange-server-2019-and-2016

[3]: https://www.ncsc.nl/actueel/advisory?id=NCSC-2020-0715

Disclaimer
Northwave has made every effort to make this information accurate and reliable. However, the information provided is without warranty of any kind and its use is at the sole risk of the user. Northwave does not accept any responsibility or liability for the accuracy, content, completeness, legality or reliability of the information provided. We shall not be liable for any loss or damage of whatever nature, direct or indirect, consequential or other, whether arising in contract, tort or otherwise, which may arise as a result of your use of, or inability to use, this information or any additional information provided by us in direct or indirect relation to the information provided here.