With servers reportedly being probed en masse, ZDI has advised sysadmins to patch ASAP
As outlined in a recent security advisory from Microsoft, the vulnerability (CVE-2020-0688) arises when the server fails to create unique cryptographic keys during installation.
Left unchecked, this could lead to mail servers being hijacked.
Microsoft issued a fix in its latest Patch Tuesday (February 11) that remedies the vulnerability by randomizing cryptographic keys during installation.
Those who have not yet applied the patch have been urged to do so without delay, after Trend Micro’s Zero Day Initiative (ZDI) dropped details of a working exploit on its vulnerability disclosure platform this week.
Behind the bug
Discussing the exploit, which was reported to ZDI by an anonymous researcher, the company’s Simon Zuckerbraun described the bug as “quite simple” but potentially very damaging.
“Due to the use of static keys, an authenticated attacker can trick the server into deserializing maliciously crafted ViewState data,” Zuckerbraun said.
“With the help of YSoSerial.net, an attacker can execute arbitrary .NET code on the server in the context of the Exchange Control Panel web application, which runs as SYSTEM.”
According to Zuckerbraun, an attacker who compromised the credentials of any enterprise user would be able to take over the Exchange Server and “divulge or falsify corporate email communications at will”.
The ZDI researcher therefore urged sysadmins to treat the flaw as ‘critical’ – despite Microsoft’s ‘important’ classification, which was likely assigned because authentication is required, suggested Zuckerbraun.
“Patching Exchange is always a chore, but this bug should not be ignored,” Brian Gorenc, director of vulnerability research at ZDI, told The Daily Swig. “Patch as soon as possible.”
He added: “Given the severity and exploitability of this vulnerability, we expect to see exploits soon. There have already been reports of an increase in scanning activities probing for vulnerable systems.”
ZDI has released a video documenting the bug.