Attacker Value
Very High
(10 users assessed)
Exploitability
High
(10 users assessed)
User Interaction
None
Privileges Required
Low
Attack Vector
Network
5

CVE-2020-0688 - Exchange Control Panel Viewstate Deserialization Bug

Disclosure Date: February 11, 2020
Exploited in the Wild
Add MITRE ATT&CK tactics and techniques that apply to this CVE.
Initial Access
Techniques
Validation
Validated

Description

A remote code execution vulnerability exists in Microsoft Exchange software when the software fails to properly handle objects in memory, aka ‘Microsoft Exchange Memory Corruption Vulnerability’.

Add Assessment

3
Ratings
  • Attacker Value
    Very High
  • Exploitability
    Very High
Technical Analysis

just to add the exploit and proper tag
https://github.com/Ridter/cve-2020-0688

3
Ratings
Technical Analysis

Just to drop in my panicky two cents: Exchange Administrators are historically hesitant to patch Exchange without extensive planning and often physical presence to reboot / restore if needed. Exchange patching isn’t usually just a matter of patch, reboot, move on with your life — many sites need to deprovision an Exchange server to fail over, then again to do it the other way. Even when everything goes well, sometimes the patch doesn’t actually apply, which means administrators either don’t notice, or actively check and test (which means more time).

So, in short, there’s a trust gap for this particular patch, and I believe that’s what we see reflected in the low patch numbers. Even if the patch is easy and clean and works great, an experienced Exchange admin isn’t going to trust it.

3
Ratings
Technical Analysis

There’s a Metasploit exploit module out for this now, and pen testers have reported that seeing vulnerable Exchange servers is common on engagements. As zeroSteiner has pointed out on Twitter, all that’s needed for reliable code execution is a domain user with a mailbox: https://twitter.com/zeroSteiner/status/1234983584177328129.
TrustedSec has a great write-up on IoCs here: https://www.trustedsec.com/blog/detecting-cve-20200688-remote-code-execution-vulnerability-on-microsoft-exchange-server/

2
Ratings
Technical Analysis

Discovery Notes

You can determine the version of Microsoft Exchange that the Client Access Servers (CAS) are running prior to authentication. Visit the OWA login page ( https://owa.probablyunpatched.com/owa/auth/logon.aspx) and view the source.

@font-face {
    font-family: "Segoe UI WPC";
    src: url("/owa/auth/15.0.1210/themes/resources/segoeui-regular.eot?#iefix") format("embedded-opentype"),
            url("/owa/auth/15.0.1210/themes/resources/segoeui-regular.ttf") format("truetype");
}

@font-face {
    font-family: "Segoe UI WPC Semilight";
    src: url("/owa/auth/15.0.1210/themes/resources/segoeui-semilight.eot?#iefix") format("embedded-opentype"),
        url("/owa/auth/15.0.1210/themes/resources/segoeui-semilight.ttf") format("truetype");
}

@font-face {
    font-family: "Segoe UI WPC Semibold";
    src: url("/owa/auth/15.0.1210/themes/resources/segoeui-semibold.eot?#iefix") format("embedded-opentype"),
        url("/owa/auth/15.0.1210/themes/resources/segoeui-semibold.ttf") format("truetype");
}

The versions there can be compared to the Exchange build lookup list provided by Microsoft
https://docs.microsoft.com/en-us/exchange/new-features/build-numbers-and-release-dates?view=exchserver-2019

The following Exchange versions may be safe. Microsoft isn’t consistently updating the build number as part of the update installation process. Anything newer is probably patched.

Exchange Release Build Number
Microsoft Exchange Server 2019 Cumulative Update 4 + hotfix 15.2.529.xxx
Microsoft Exchange Server 2019 Cumulative Update 3 + hotfix 15.2.464.xxx
Microsoft Exchange Server 2016 Cumulative Update 16 + hotfix 15.1.1979.xxx
Microsoft Exchange Server 2016 Cumulative Update 15 + hotfix 15.1.1913.xxx
Microsoft Exchange Server 2016 Cumulative Update 14 + hotfix 15.1.1847.xxx
Microsoft Exchange Server 2013 Cumulative Update 23 + hotfix 15.0.1497.xxx
Microsoft Exchange Server 2010 Service Pack 3 Update Rollup 30 14.3.496.xxx

Any version matching those listed below or that are older than those listed below are definately vulnerable.

Exchange Release Build Number
Microsoft Exchange Server 2019 Cumulative Update 2 15.2.397.3
Microsoft Exchange Server 2016 Cumulative Update 14 15.1.1779.2
Microsoft Exchange Server 2013 Cumulative Update 22 15.0.1473.3
Microsoft Exchange Server 2010 Service Pack 3 Update Rollup 29 14.3.487.0
2
Technical Analysis

This is now supposedly being exploited in the wild by Chinese state actors according to this NSA announcement: https://media.defense.gov/2020/Oct/20/2002519884/-1/-1/0/CSA_CHINESE_EXPLOIT_VULNERABILITIES_UOO179811.PDF

2
Ratings
  • Attacker Value
    Very High
  • Exploitability
    Medium
Technical Analysis

Exchange Servers exposed to the outside (OWA) will need to patch this as soon as possible. Internal Exchange is not a high priority. The requirement of knowing the validation key is required to exploit. There is discussion that a specially crafted email may trigger this vulnerability with the way Exchange handles memory objects which can lead to remote code execution.
Several POC are available although the skill level to exploit is higher with the need to write custom code.
Recommended to patch if Exchange is exposed outside of the environment.
This was patched in the Feb 2020 patch release from Microsoft.
High/Critical depending on controls to expose Exchange to the internet.
Low/Moderate for internal Exchange depending on the environment.

CVSS V3 Severity and Metrics
Base Score:
8.8 High
Impact Score:
5.9
Exploitability Score:
2.8
Vector:
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Attack Vector (AV):
Network
Attack Complexity (AC):
Low
Privileges Required (PR):
Low
User Interaction (UI):
None
Scope (S):
Unchanged
Confidentiality (C):
High
Integrity (I):
High
Availability (A):
High

General Information

Vendors

  • microsoft

Products

  • exchange server 2010,
  • exchange server 2013,
  • exchange server 2016,
  • exchange server 2019

Exploited in the Wild

Reported by:

Additional Info

Technical Analysis