Very High
CVE-2020-17132
CVE ID
AttackerKB requires a CVE ID in order to pull vulnerability data and references from the CVE list and the National Vulnerability Database. If available, please supply below:
Add References:
Very High
(1 user assessed)High
(1 user assessed)Unknown
Unknown
Unknown
CVE-2020-17132
MITRE ATT&CK
Collection
Command and Control
Credential Access
Defense Evasion
Discovery
Execution
Exfiltration
Impact
Initial Access
Lateral Movement
Persistence
Privilege Escalation
Topic Tags
Description
Microsoft Exchange Remote Code Execution Vulnerability
Add Assessment
Ratings
-
Attacker ValueVery High
-
ExploitabilityHigh
Technical Analysis
This is vulnerability is a bypass for the patch issued for CVE-2020-16875. The vulnerability was also identified and analyzed by Steven Seeley. The patch can be bypassed using call operators as described in Seeley’s blog Making Clouds Rain RCE in Office 365.
The original vulnerability is a command injection vulnerability that results in OS commands being executed with SYSTEM level privileges on the Exchange server due to insufficient sanitization on a cmdlet invocation.
Would you also like to delete your Exploited in the Wild Report?
Delete Assessment Only Delete Assessment and Exploited in the Wild ReportCVSS V3 Severity and Metrics
General Information
Vendors
- microsoft
Products
- exchange server 2013,
- exchange server 2016,
- exchange server 2019
References
Additional Info
Technical Analysis
Description
On January 12, 2021, Steven Seeley (aka mr_me) published a blog post on a zero-day patch bypass for Microsoft Exchange CVE-2020-17132, a post-authentication code execution vulnerability that was itself a patch bypass for CVE-2020-16875. The patch for CVE-2020-17132 is effectively a series of six checks that are run against cmdlets passed to Exchange Server to ensure exploit attempts against CVE-2020-16875 are rejected. As described in Seeley’s blog post, this latest patch bypass allows attackers to use call operators to circumvent all mitigations applied in the patch for CVE-2020-17132; this allows attackers to execute commands with SYSTEM privileges.
There have been no reports of active exploitation at the time of writing, but an unpatched zero-day vulnerability makes a high-value target for attackers. We consider this new vulnerability to be an impending threat, and active exploitation is likely before long.
Affected products
Currently, the following supported versions of Exchange Server 2019 and 2016 are vulnerable:
- Exchange Server 2019 (CU8 CU7)
- Exchange Server 2016 (CU19 CU18)
Rapid7 analysis
As of January 12, 2020, both rich technical detail and proof-of-concept (PoC) code are readily available to the public, including researchers and attackers looking to build exploit chains of their own. Rapid7 researchers were able to reproduce the RCE on a vulnerable instance of Exchange Server 2016 CU19 on Windows Server 2016. Authentication presents somewhat of a barrier to exploitation, but it should not be relied upon as a long-term preventative hurdle. As we have seen with previous Exchange vulnerabilities, once attackers gain authenticated access (e.g., via phishing), the impact of exploitation is high.
Guidance
Microsoft Exchange customers who have Exchange Servers that are internet-facing should strongly consider investigating their environments for signs of compromise and suspicious activity. We also urge all defenders to ensure Exchange Server is not exposed to the internet until the appropriate patches have been released by Microsoft.
Report as Emergent Threat Response
Report as Exploited in the Wild
CVE ID
AttackerKB requires a CVE ID in order to pull vulnerability data and references from the CVE list and the National Vulnerability Database. If available, please supply below: