Attacker Value
Very High
(1 user assessed)
Exploitability
High
(1 user assessed)
User Interaction
None
Privileges Required
High
Attack Vector
Network
2

CVE-2020-17132

Disclosure Date: December 10, 2020
Add MITRE ATT&CK tactics and techniques that apply to this CVE.

Description

Aka ‘Microsoft Exchange Remote Code Execution Vulnerability’. This CVE ID is unique from CVE-2020-17117, CVE-2020-17141, CVE-2020-17142, CVE-2020-17144.

Add Assessment

3
Ratings
Technical Analysis

This is vulnerability is a bypass for the patch issued for CVE-2020-16875. The vulnerability was also identified and analyzed by Steven Seeley. The patch can be bypassed using call operators as described in Seeley’s blog Making Clouds Rain RCE in Office 365.

The original vulnerability is a command injection vulnerability that results in OS commands being executed with SYSTEM level privileges on the Exchange server due to insufficient sanitization on a cmdlet invocation.

CVSS V3 Severity and Metrics
Base Score:
9.1 Critical
Impact Score:
6
Exploitability Score:
2.3
Vector:
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H
Attack Vector (AV):
Network
Attack Complexity (AC):
Low
Privileges Required (PR):
High
User Interaction (UI):
None
Scope (S):
Changed
Confidentiality (C):
High
Integrity (I):
High
Availability (A):
High

General Information

Vendors

  • Microsoft

Products

  • Microsoft Exchange Server 2013,
  • Microsoft Exchange Server 2019 Cumulative Update 6,
  • Microsoft Exchange Server 2016 Cumulative Update 17,
  • Microsoft Exchange Server 2019 Cumulative Update 7,
  • Microsoft Exchange Server 2016 Cumulative Update 18

Additional Info

Technical Analysis

Description

On January 12, 2021, Steven Seeley (aka mr_me) published a blog post on a zero-day patch bypass for Microsoft Exchange CVE-2020-17132, a post-authentication code execution vulnerability that was itself a patch bypass for CVE-2020-16875. The patch for CVE-2020-17132 is effectively a series of six checks that are run against cmdlets passed to Exchange Server to ensure exploit attempts against CVE-2020-16875 are rejected. As described in Seeley’s blog post, this latest patch bypass allows attackers to use call operators to circumvent all mitigations applied in the patch for CVE-2020-17132; this allows attackers to execute commands with SYSTEM privileges.

There have been no reports of active exploitation at the time of writing, but an unpatched zero-day vulnerability makes a high-value target for attackers. We consider this new vulnerability to be an impending threat, and active exploitation is likely before long.

Affected products

Currently, the following supported versions of Exchange Server 2019 and 2016 are vulnerable:

  • Exchange Server 2019 (CU8 CU7)
  • Exchange Server 2016 (CU19 CU18)

Rapid7 analysis

As of January 12, 2020, both rich technical detail and proof-of-concept (PoC) code are readily available to the public, including researchers and attackers looking to build exploit chains of their own. Rapid7 researchers were able to reproduce the RCE on a vulnerable instance of Exchange Server 2016 CU19 on Windows Server 2016. Authentication presents somewhat of a barrier to exploitation, but it should not be relied upon as a long-term preventative hurdle. As we have seen with previous Exchange vulnerabilities, once attackers gain authenticated access (e.g., via phishing), the impact of exploitation is high.

Guidance

Microsoft Exchange customers who have Exchange Servers that are internet-facing should strongly consider investigating their environments for signs of compromise and suspicious activity. We also urge all defenders to ensure Exchange Server is not exposed to the internet until the appropriate patches have been released by Microsoft.