According to cybersecurity specialists at Kenna Security, the vast majority (85%) of Microsoft Exchange servers have not been patched against the CVE-2020-0688 vulnerability, which potentially allows remote code execution.
This is despite a patch being made available by Microsoft more than a month ago on February 11. At the same time, advanced persistent threat (APT) groups, many of which are state-backed, appear to be targeting vulnerable servers.
The vulnerability is contained within the Exchange Control Panel (ECP) component and relates to its use of a static cryptographic key. With a valid credential, even one without elevated privileges, a threat actor can execute arbitrary code within ECP. Organisations compromised by the attack are advised that their entire Active Directory may be compromised as a result.
The researchers at Kenna sought to establish the remediation rate for the vulnerability by analysing a representative data sample. They found it to be under 15%, implying that 85% of servers remained susceptible to the vulnerability. This compares badly with similar analysis by Kenna for Microsoft’s January Patch Tuesday, which showed a 60% remediation rate for CVE-2020-0661, well ahead of the established norm of 50%.
Of course, some servers may not have been at risk because they were not exposed to the internet, or their admins may have disabled ECP to close off the vulnerability instead. Further research therefore surveyed over 200,000 internet-facing Outlook Web Access servers to infer the version of the underlying Exchange server. Based on this, the researchers estimated that 74% of them were vulnerable and a further 26% were potentially vulnerable, supporting the original analysis.
The researchers conclude that Exchange is perhaps not being patched so quickly due to its critical importance in an organisation, maybe because a genuine credential is needed for the vulnerability to be exploited.
Jonathan Cran posted the analysis on Kenna Security’s blog, pointing out that while a valid credential is needed to exploit the vulnerability:
“…if you do some quick searching in one of the breach databases like Dehashed or Spycloud, you’ll quickly see this isn’t a barrier at all. It’s reasonable to assume that there’s at least one working credential for any given enterprise available with minimal effort at any given time. Attackers are effectively one weak or leaked user password away from complete access to your organization. When combined with the external facing nature of OWA and the ECP – on by default in Exchange, this is likely to be one of the most devastating vulnerabilities of 2020.”
Keeping up to date on patches is vital, even if it means taking down something as important as your email server. At Pro-Networks, we offer pro-active network management services from Microsoft-certified engineers, thus ensuring that vulnerabilities are patched or mitigated in a timely fashion. You may also want to move away from an on-site email server and adopt Microsoft Exchange Online instead, either as standalone package or as part of an Office 365 subscription.