Very High
CVE-2020-0688 - Exchange Control Panel Viewstate Deserialization Bug
CVE ID
AttackerKB requires a CVE ID in order to pull vulnerability data and references from the CVE list and the National Vulnerability Database. If available, please supply below:
Add References:
CVE-2020-0688 - Exchange Control Panel Viewstate Deserialization Bug
MITRE ATT&CK
Collection
Command and Control
Credential Access
Defense Evasion
Discovery
Execution
Exfiltration
Impact
Initial Access
Lateral Movement
Persistence
Privilege Escalation
Topic Tags
Description
A remote code execution vulnerability exists in Microsoft Exchange software when the software fails to properly handle objects in memory, aka ‘Microsoft Exchange Memory Corruption Vulnerability’.
Add Assessment
Ratings
-
Attacker ValueHigh
-
ExploitabilityHigh
Technical Analysis
This is a serialization bug in the Exchange Control Panel component of the Microsoft Exchange server. The write up by ZDI outlines an exploitation path in grate detail how the vulnerability would be leveraged to gain command execution as NT_AUTHORITY\SYSTEM
on the server.
The root of the issue is that the validationKey
is not randomized at installation time, resulting in Exchange servers using an attacker known value. This value can be used to submit crafted data to the server that passes validation checks and is ultimately deserialized which can result in code execution.
The important values from the write up are:
validationkey = CB2721ABDAF8E9DC516D621D8B8BF13A2C9E8689A25303BF validationalg = SHA1
I anticipate that the largest barrier to developing a PoC for this will be setting up and configuring a target environment. Exploiting this vulnerability requires authenticating as a user. The user must be a member of the Domain Users
group and have a configured mailbox in Exchange.
The ViewState must be transferred within a GET request, POST can not be used. This introduces size restrictions on the OS command that can be executed.
Would you also like to delete your Exploited in the Wild Report?
Delete Assessment Only Delete Assessment and Exploited in the Wild ReportRatings
-
Attacker ValueVery High
-
ExploitabilityHigh
Technical Analysis
This one is fairly new. I will put a few quotes in here as they display my ideas of why this should be considered high priority and have better writing skills than I do, unfortunately.
I was initially alerted (again) to this CVE with the Thread linked here : https://twitter.com/GossiTheDog/status/1232368620270911488
I agree, enterprise environments with Internet facing Exchange. As stated in the thread, you can see a simple search with shodan.io will expose this vulnerability. There are thousands that qualify.
Here is another, more formal and thorough analysis I think you will find helpful: https://www.thezdi.com/blog/2020/2/24/cve-2020-0688-remote-code-execution-on-microsoft-exchange-server-through-fixed-cryptographic-keys
Here is a video of bug in action.
https://youtu.be/7d_HoQ0LVy8
This is a RCE vulnerability that effects Microsoft Exchange Server. Now a patch was released, but Microsoft has not classified this as critical, so we will see how effective it is.
“Instead of having randomly-generated keys on a per-installation basis, all installations of Microsoft Exchange Server have the same validationKey and decryptionKey values in web.config. These keys are used to provide security for ViewState. ViewState is server-side data that ASP.NET web applications store in serialized format on the client. The client provides this data back to the server via the __VIEWSTATE request parameter. “
I welcome any discussion, please tell me if I missing something. I would love to hear more about this and if any Blue Team has had an incident already.
Take care!
Would you also like to delete your Exploited in the Wild Report?
Delete Assessment Only Delete Assessment and Exploited in the Wild ReportI am still reviewing this in my lab environment, however you marked this as difficult to patch. From the zdi writeup I assume just changing the keys is enough to mitigate
If that’s the case then I should not have marked the patching as difficult. I need to look into this more tomorrow if possible. Thanks for the heads up, please let us know what you find!
Has anyone had a chance to confirm if changing the key is an effective mitigation? The Microsoft CVE said there are no mitigations, but like Kev mentioned, the write up said it was a requirement for exploit .
Ratings
-
Attacker ValueVery High
-
ExploitabilityHigh
Technical Analysis
Due to widespread credential stuffing and password spraying attacks, the fact that this is a deserialization RCE due to hard coded encryption keys, the exploit is universally portable.
There are also POC scripts that just require you to get valid credentials.
Would you also like to delete your Exploited in the Wild Report?
Delete Assessment Only Delete Assessment and Exploited in the Wild ReportDo you have links to those POCs?
This has the exploit POC generation as a part of the blog. Using yososerial.net they generate a command that you can copy/paste and just change the payload.
Metasploit module is now available, increasing the ‘exploitability’ of this exploit substantially.
Ratings
-
Attacker ValueVery High
-
ExploitabilityVery High
Technical Analysis
just to add the exploit and proper tag
https://github.com/Ridter/cve-2020-0688
Would you also like to delete your Exploited in the Wild Report?
Delete Assessment Only Delete Assessment and Exploited in the Wild ReportRatings
-
Attacker ValueVery High
-
ExploitabilityHigh
Technical Analysis
the easiness of exploiting this vulnerability depends directly on the ability to get a working set of creds.
that means that if the organization has weak password policy, guessable passwords, leaked credentials or external interface that allows password spraying, obtaining such credentials will be easy for adversaries.
Would you also like to delete your Exploited in the Wild Report?
Delete Assessment Only Delete Assessment and Exploited in the Wild ReportI agree. The proliferation of OWA spraying tools makes me think that there are a lot of attackers that are going after this vulnerability right now.
yup, its easy to get bulletproof hosting, run endless password spraying attacks against OWA\Office365 until you get creds, and then with this vuln it’s game over as Exchange in a core server that will almost always would yield DA creds.
Ratings
-
Attacker ValueVery High
-
ExploitabilityHigh
Technical Analysis
Just to drop in my panicky two cents: Exchange Administrators are historically hesitant to patch Exchange without extensive planning and often physical presence to reboot / restore if needed. Exchange patching isn’t usually just a matter of patch, reboot, move on with your life — many sites need to deprovision an Exchange server to fail over, then again to do it the other way. Even when everything goes well, sometimes the patch doesn’t actually apply, which means administrators either don’t notice, or actively check and test (which means more time).
So, in short, there’s a trust gap for this particular patch, and I believe that’s what we see reflected in the low patch numbers. Even if the patch is easy and clean and works great, an experienced Exchange admin isn’t going to trust it.
Would you also like to delete your Exploited in the Wild Report?
Delete Assessment Only Delete Assessment and Exploited in the Wild ReportRatings
Technical Analysis
There’s a Metasploit exploit module out for this now, and pen testers have reported that seeing vulnerable Exchange servers is common on engagements. As zeroSteiner has pointed out on Twitter, all that’s needed for reliable code execution is a domain user with a mailbox: https://twitter.com/zeroSteiner/status/1234983584177328129.
TrustedSec has a great write-up on IoCs here: https://www.trustedsec.com/blog/detecting-cve-20200688-remote-code-execution-vulnerability-on-microsoft-exchange-server/
Would you also like to delete your Exploited in the Wild Report?
Delete Assessment Only Delete Assessment and Exploited in the Wild ReportRatings
Technical Analysis
Discovery Notes
You can determine the version of Microsoft Exchange that the Client Access Servers (CAS) are running prior to authentication. Visit the OWA login page ( https://owa.probablyunpatched.com/owa/auth/logon.aspx
) and view the source.
@font-face { font-family: "Segoe UI WPC"; src: url("/owa/auth/15.0.1210/themes/resources/segoeui-regular.eot?#iefix") format("embedded-opentype"), url("/owa/auth/15.0.1210/themes/resources/segoeui-regular.ttf") format("truetype"); } @font-face { font-family: "Segoe UI WPC Semilight"; src: url("/owa/auth/15.0.1210/themes/resources/segoeui-semilight.eot?#iefix") format("embedded-opentype"), url("/owa/auth/15.0.1210/themes/resources/segoeui-semilight.ttf") format("truetype"); } @font-face { font-family: "Segoe UI WPC Semibold"; src: url("/owa/auth/15.0.1210/themes/resources/segoeui-semibold.eot?#iefix") format("embedded-opentype"), url("/owa/auth/15.0.1210/themes/resources/segoeui-semibold.ttf") format("truetype"); }
The versions there can be compared to the Exchange build lookup list provided by Microsoft
https://docs.microsoft.com/en-us/exchange/new-features/build-numbers-and-release-dates?view=exchserver-2019
The following Exchange versions may be safe. Microsoft isn’t consistently updating the build number as part of the update installation process. Anything newer is probably patched.
Exchange Release | Build Number |
---|---|
Microsoft Exchange Server 2019 Cumulative Update 4 + hotfix | 15.2.529.xxx |
Microsoft Exchange Server 2019 Cumulative Update 3 + hotfix | 15.2.464.xxx |
Microsoft Exchange Server 2016 Cumulative Update 16 + hotfix | 15.1.1979.xxx |
Microsoft Exchange Server 2016 Cumulative Update 15 + hotfix | 15.1.1913.xxx |
Microsoft Exchange Server 2016 Cumulative Update 14 + hotfix | 15.1.1847.xxx |
Microsoft Exchange Server 2013 Cumulative Update 23 + hotfix | 15.0.1497.xxx |
Microsoft Exchange Server 2010 Service Pack 3 Update Rollup 30 | 14.3.496.xxx |
Any version matching those listed below or that are older than those listed below are definately vulnerable.
Exchange Release | Build Number |
---|---|
Microsoft Exchange Server 2019 Cumulative Update 2 | 15.2.397.3 |
Microsoft Exchange Server 2016 Cumulative Update 14 | 15.1.1779.2 |
Microsoft Exchange Server 2013 Cumulative Update 22 | 15.0.1473.3 |
Microsoft Exchange Server 2010 Service Pack 3 Update Rollup 29 | 14.3.487.0 |
Would you also like to delete your Exploited in the Wild Report?
Delete Assessment Only Delete Assessment and Exploited in the Wild ReportTechnical Analysis
This is now supposedly being exploited in the wild by Chinese state actors according to this NSA announcement: https://media.defense.gov/2020/Oct/20/2002519884/-1/-1/0/CSA_CHINESE_EXPLOIT_VULNERABILITIES_UOO179811.PDF
Would you also like to delete your Exploited in the Wild Report?
Delete Assessment Only Delete Assessment and Exploited in the Wild ReportRatings
-
Attacker ValueVery High
-
ExploitabilityMedium
Technical Analysis
Exchange Servers exposed to the outside (OWA) will need to patch this as soon as possible. Internal Exchange is not a high priority. The requirement of knowing the validation key is required to exploit. There is discussion that a specially crafted email may trigger this vulnerability with the way Exchange handles memory objects which can lead to remote code execution.
Several POC are available although the skill level to exploit is higher with the need to write custom code.
Recommended to patch if Exchange is exposed outside of the environment.
This was patched in the Feb 2020 patch release from Microsoft.
High/Critical depending on controls to expose Exchange to the internet.
Low/Moderate for internal Exchange depending on the environment.
Would you also like to delete your Exploited in the Wild Report?
Delete Assessment Only Delete Assessment and Exploited in the Wild ReportCVSS V3 Severity and Metrics
General Information
Vendors
- microsoft
Products
- exchange server 2010,
- exchange server 2013,
- exchange server 2016,
- exchange server 2019
Exploited in the Wild
Would you like to delete this Exploited in the Wild Report?
Yes, delete this report- Government or Industry Alert (https://us-cert.cisa.gov/ncas/alerts/aa21-209a)
- Threat Feed (https://www.sentinelone.com/labs/wading-through-muddy-waters-recent-activity-of-an-iranian-state-sponsored-threat-actor/)
- News Article or Blog (https://www.tenable.com/blog/contileaks-chats-reveal-over-30-vulnerabilities-used-by-conti-ransomware-affiliates)
- Other: 2020 Most Exploited Vulnerabilities (https://www.ic3.gov/Media/News/2021/210728.pdf)
Would you like to delete this Exploited in the Wild Report?
Yes, delete this reportWould you like to delete this Exploited in the Wild Report?
Yes, delete this reportReferences
Exploit
A PoC added here by the AKB Worker must have at least 2 GitHub stars.
Miscellaneous
Additional Info
Technical Analysis
Report as Emergent Threat Response
Report as Exploited in the Wild
CVE ID
AttackerKB requires a CVE ID in order to pull vulnerability data and references from the CVE list and the National Vulnerability Database. If available, please supply below:
I’ll be using your TA format the next time I post an analysis. Appreciate the example.