Threat Response: UPDATE – Critical Vulnerability in Microsoft Exchange Server

17-09-2020

A SAFE DIGITAL JOURNEY

Last Tuesday we sent out a message regarding a vulnerability in Microsoft Exchange Server. More details have surfaced about the vulnerability in the meantime, of which we want to inform you today.

The vulnerability is part of a specific command that is normally used to update Data Loss Prevention policies. Insufficient validation of the command results in an opportunity for an attacker to execute arbitrary code.

A successful attack can only be performed through a compromised account that has the Data Loss Prevention role applied to it. Without said role changing DLP policies is impossible, and as a result the attack would fail. This contradicts our earlier message, which stated that no authentication was necessary to launch the attack. However, given a user account with these privileges, lateral movement in the network is still possible.

Additionally, in the past few days proof-of-concept code has been made publicly available[5], making it trivial for anyone with these credentials to execute the attack. Therefore, we strongly recommend applying the patch as soon as possible.

Northwave updates the risk classification to medium, because of the added requirement of a sufficiently privileged compromised user account to carry out the attack. However, Northwave maintains its high impact classification.

Mitigations

There are currently no mitigations or work-arounds available. If for whatever reason you absolutely cannot deploy the patch to all affected systems, it is highly recommended to increase awareness for all users carrying the Data Loss Prevention role to protect their account.

To see the previous message about this Threat Response, click here.

Northwave

Northwave will monitor any developments regarding this vulnerability. If new critical information about this threat arises, we will reach out to you. If you need additional information you can call us by phone or send us an email.

Phone number: +31 (0)30-303 1244 (during business hours)
E-mail: [email protected]
Do you have an incident right now? Call our CERT number: +31 (0)85-0437 909 or 0800-1744 (alleen vanuit Nederland)

Disclaimer applies, see below.

Sources

[1]: https://portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2020-16875

[2]: https://support.microsoft.com/ca-es/help/4577352/security-update-for-exchange-server-2019-and-2016

[3]: https://www.ncsc.nl/actueel/advisory?id=NCSC-2020-0715

[4]: https://srcincite.io/advisories/src-2020-0019/

[5]: https://srcincite.io/pocs/cve-2020-16875.py.txt

 

Disclaimer
Northwave has made every effort to make this information accurate and reliable. However, the information provided is without warranty of any kind and its use is at the sole risk of the user. Northwave does not accept any responsibility or liability for the accuracy, content, completeness, legality or reliability of the information provided. We shall not be liable for any loss or damage of whatever nature, direct or indirect, consequential or other, whether arising in contract, tort or otherwise, which may arise as a result of your use of, or inability to use, this information or any additional information provided by us in direct or indirect relation to the information provided here.