CVE-2020-0688 Microsoft Exchange Servers Bug Exploited in the Wild

Unnamed state-sponsored hacking groups are exploiting CVE-2020-0688, a vulnerability in Microsoft Exchange email servers patched by the company in February 2020 Patch Tuesday.

As part of the Patch Tuesday routine, Microsoft released cumulative updates and a service pack addressing this remote code execution bug located in Microsoft Exchange 2010, 2013, 2016, and 2019.

It is noteworthy to mention that the bug was discovered by an anonymous researcher, and was reported to Microsoft via Trend Micro’s Zero Day initiative. Two weeks later, Zero Day published more information about the vulnerability, also clarifying that an attacker could exploit CVE-2020-0688 under certain conditions. Zero Day’s report was meant to help security researchers test their servers to create detection rules and prepare mitigation techniques. However, some of the created proof-of-concept were shared on GitHub, followed by a Metasploit module. It didn’t take long for threat actors to leverage the abundance of technical details.

The first to report about the state-sponsored hacking groups was Volexity, a UK cybersecurity firm. However, the firm didn’t share any specifics and hasn’t said where the attacks originate from. However, it is known that these hacking groups include “all the big players”, says ZDNet.

April 2019 Patch Tuesday is here, consisting of fixes for 74 vulnerabilities. Note that two of the flaws (CVE-2019-0803 and CVE-2019-0859 are exploited.
Microsoft Bugs CVE-2019-0803, CVE-2019-0859 Exploited in the Wild

More about CVE-2020-0688

According to Microsoft, “a remote code execution vulnerability exists in Microsoft Exchange Server when the server fails to properly create unique keys at install time. Knowledge of a the validation key allows an authenticated user with a mailbox to pass arbitrary objects to be deserialized by the web application, which runs as SYSTEM. The security update addresses the vulnerability by correcting how Microsoft Exchange creates the keys during install.”

To explain further, it seems that Microsoft Exchange servers are failing to create a unique cryptographic key for the Exchange control panel during installation. This also means that all Microsoft Exchange email servers released in the last decade use identical cryptographic keys for the control panel’s backend.

So, how can attackers exploit the vulnerability? By sending malformed requests to the Exchange control panel which contain malicious serialized data. By knowing the control panel’s encryption keys, they can make the serialized data unserialized, resulting in malicious code running on the server’s backend.

If you want to make sure that your Exchange server hasn’t been hacked, you can use this TrustedSec tutorial.

Milena Dimitrova

Milena Dimitrova

An inspired writer and content manager who has been with SensorsTechForum since the beginning. Focused on user privacy and malware development, she strongly believes in a world where cybersecurity plays a central role. If common sense makes no sense, she will be there to take notes. Those notes may later turn into articles! Follow Milena @Milenyim

More Posts

Follow Me:

Leave a Comment

Your email address will not be published. Required fields are marked *

Time limit is exhausted. Please reload CAPTCHA.

Share on Facebook Share
Share on Twitter Tweet
Share on Google Plus Share
Share on Linkedin Share
Share on Digg Share
Share on Reddit Share
Share on Stumbleupon Share