Unpatched MS Exchange Servers vulnerable to remote attack

If your Microsoft Exchange Server is online, you do well to patch it right away, if you have not already. Microsoft has not proposed a workaround for the current CVE-2020-0688 threat, so it appears that installing the fix is your only viable option for now.

Mass scanning for the CVE-2020-0688 vulnerability underway  

When, after learning from an anonymous researcher, the folks at Zero Day Initiative published a demo of the MS Exchange Server remote code execution (RCE) vulnerability, they just wanted to educate users. After all, Microsoft had earlier issued a patch to address the bug.

But hackers had other ideas. Shortly after this information entered the public domain, they kicked off a large-scale search for unpatched Exchange Servers on the web, according to multiple reports.

https://twitter.com/GossiTheDog/status/1232430811439403014

https://twitter.com/bad_packets/status/1232428319733272579

Such bad actors do not usually scan for cyber vulnerabilities for the sake of it. If their ongoing search yields something, they are certainly going to try to exploit the CVE-2020-0688 loophole.

There are no reports of a successful CVE-2020-0688 exploit by ill-intentioned individuals so far. Hopefully, you will have secured your server by the time hackers have it in their crosshairs.

What is the CVE-2020-0688 bug?

According to Microsoft, CVE-2020-0688 is an RCE vulnerability in which the Exchange Server fails to properly generate unique keys during installation.

Knowledge of the validation key allows an authenticated user with a mailbox to pass arbitrary objects to be deserialized by the web application, which runs as SYSTEM. The security update addresses the vulnerability by correcting how Microsoft Exchange creates the keys during install.

Cryptographic keys are at the heart of the security of any data or IT system. When hackers manage to decipher them in a CVE-2020-0688 exploit, they can take control of the Exchange Server.

Microsoft rates the severity of the threat as important rather than critical, though. Maybe this is because an attacker would still require authentication to utilize the validation keys.

A determined hacker may still be able to obtain security credentials by other means, such as phishing, after which they would comfortably launch a CVE-2020-0688 attack.

Keep in mind that not all cybersecurity violations originate from nefarious players living in a basement hideout or foreign country. The threats can come from internal actors with valid authentication.

Hackers once took advantage of a similar loophole, PrivExchange, to obtain MS Exchange Server’s admin rights.