Threat Response: Vulnerabilities in Microsoft Exchange Server

26-02-2020

Two serious vulnerabilities in Microsoft Exchange Server have been discovered.

Description

The first vulnerability (CVE-2020-0688) concerns a remote code execution vulnerability [1]. This means that authenticated users can execute arbitrary code on installations of this product, if they have specific knowledge of certain system parameters. This concerns only authenticated users, but the fact that they can execute arbitrary code remotely, means that Northwave assesses this as a high impact vulnerability. As public exploit code is known, we assess the probability as high, and currently, active scanning traffic for vulnerable versions of Exchange Server is seen on the internet. More background information can be found at [4].

The second vulnerability (CVE-2020-0692) concerns an elevation of privilege vulnerability [2]. This means that attackers that manage to exploit this vulnerability, can gain the same rights as any other user of the Exchange server, including Administrative rights. Exploitation of this vulnerability requires Exchange Web Services to be enabled and in use. Because an unprivileged attacker can exploit this vulnerability remotely and gain administrative rights, Northwave assesses this as a high impact, high probability vulnerability, despite the fact that no public exploit, or cases of exploitation, are known.

NCSC released an advisory regarding these vulnerabilities as well: https://advisories.ncsc.nl/advisory?id=NCSC-2020-0116. They assess the risk as High/High.

Impacted software versions
It concerns the following Exchange Server versions:

  • (Microsoft Exchange 2010 Service Pack 3 Update Rollup 30) — only the first vulnerability, CVE-2020-0688
  • Microsoft Exchange Server 2013 Cumulative Update 23
  • Microsoft Exchange Server 2016 Cumulative Update 14
  • Microsoft Exchange Server 2016 Cumulative Update 15
  • Microsoft Exchange Server 2019 Cumulative Update 3
  • Microsoft Exchange Server 2019 Cumulative Update 4

Mitigation
Microsoft has released security updates that fix these vulnerabilities. They can be found at [1, 2]. Northwave advises to install these updates as soon as possible.
The Northwave SOC cannot currently monitor for exploitation attempts, as this traffic is sent encrypted over HTTPS. We will keep researching possibilities for monitoring, and will update accordingly.

References
[1] https://portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2020-0688
[2] https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-0692
[3] https://advisories.ncsc.nl/advisory?id=NCSC-2020-0116
[4] https://www.tenable.com/blog/cve-2020-0688-microsoft-exchange-server-static-key-flaw-could-lead-to-remote-code-execution

Northwave will monitor any developments regarding this vulnerability. If new critical information about this threat arises we will reach out to you. If you need additional information you can call us by phone or send us an email.

Phone number: +31 (0)30-303 1244 (during business hours)
E-mail: [email protected]
Do you have an incident right now? Call our CERT number: 0800-2255 2747 or 0800-1744 (alleen vanuit Nederland)

Disclaimer

Northwave has made every effort to make this information accurate and reliable. However, the information provided is without warranty of any kind and its use is at the sole risk of the user. Northwave does not accept any responsibility or liability for the accuracy, content, completeness, legality or reliability of the information provided. We shall not be liable for any loss or damage of whatever nature, direct or indirect, consequential or other, whether arising in contract, tort or otherwise, which may arise as a result of your use of, or inability to use, this information or any additional information provided by us in direct or indirect relation to the information provided here.