More Than 82% of Public-Facing Exchange Servers Still Vulnerable to Actively Exploited Critical Flaw

On February Patch Tuesday, 2020, Microsoft released a patch for a critical vulnerability affecting Microsoft Exchange Servers which could potently be exploited by threat actors to take full control of a vulnerable system. Despite Microsoft warning that the flaw would be attractive to hackers, patching has been slow.

An analysis conducted by cybersecurity firm Rapid7 revealed more than 82% of public-facing Exchange servers remained vulnerable and had not been patched. The firm’s scan identified 433,464 public-facing Exchange servers, and at least 357,629 were vulnerable to an attack exploiting the CVE-2020-0688 vulnerability.

Exchange administrators may not have prioritized the patch as the vulnerability is a post-authorization flaw; however, attacks could take place using any stolen email credentials or by using brute force tactics to guess weak passwords.

Several proof-of-concept exploits for the flaw have been published on GitHub, and there have been reports of nation state Advanced Persistent Threat groups attempting to exploit the flaw using brute force tactics to obtain credentials and credentials stolen in previous data breaches.

If the flaw is exploited, hackers would be able to gain access to Exchange Servers and compromise the entire Exchange environment. That would allow them to obtain all email communications, create new email accounts, falsify messages, and remotely execute code on compromised servers with SYSTEM privileges.

Microsoft previously said there are no mitigations or workarounds that can be implemented to prevent exploitation. The only way to prevent the flaw from being exploited is to ensure the patch is applied on all vulnerable servers.

Since attacks are known to have already been conducted, in addition to applying the patch, administrators should also investigate to determine whether attacks have already been conducted and have been successful.

Rapid7 recommends Exchange administrators should check Windows Event and IIS logs for signs of compromise. Any email accounts that have been compromised and used in attacks on Exchange servers will leave traces of the exploit code in log files.

“The exploit attempts show up in the Windows Application event log with source MSExchange Control Panel, level Error, and event ID 4. This log entry will include the compromised user account as well as a very long error message that includes the text Invalid viewstate. What you are seeing is portions of the encoded payload,” explained Rapid7. “You can also review your IIS logs for requests to a path under /ecp (usually /ecp/default.aspx), which contain the string __VIEWSTATE and __VIEWSTATEGENERATOR.”

In addition to discovering a worrying number of Exchange servers vulnerable to the CVE-2020-0688 vulnerability, the researchers also found an alarming number of Exchange servers were missing several updates for other critical flaws. The researchers identified 31,000 Exchange servers that had not received an update since 2012 and 800 Exchange servers that had never been updated.

Come October, Microsoft will be ending support for Exchange 2010. It is concerning that there are still 166,000 public-facing Exchange servers still running Exchange 2010 so close to the end of support date.

Author: Steve Alder has many years of experience as a journalist, and comes from a background in market research. He is a specialist on legal and regulatory affairs, and has several years of experience writing about HIPAA. Steve holds a B.Sc. from the University of Liverpool.