82% of Vulnerable Microsoft Exchange Servers Remain Unpatched

A few weeks following the Department of Homeland Security Cybersecurity and Infrastructure Security agency alerted to hackers targeting a critical Microsoft Exchange server vulnerability, a new Rapid7 report shows that 80 percent of these devices remain unpatched.

On March 12, CISA released insights into the CVE-2020-0688 flaw in the Exchange mail and calendaring server control panel, where the server fails to properly create unique keys during the install. With knowledge of the validation key, an authenticated user with a mailbox would be able to pass “arbitrary objects to be deserialized by the web application, which runs as SYSTEM.”

According to Volexity researchers, a successful exploit could occur if three criteria were met by the threat actor: failing to patch the flaw, successfully accessing the exchange control panel interface, and gaining active credentials to access the affected control panel to collect the ViewStateKey from the authenticated session cookie.

Microsoft warned it was an attractive target for hackers given a successful exploit would allow them to take control of an affected device. While the tech giant released a patch for the flaw in February, hackers were actively targeting the vulnerability in unpatched systems.

“The credential leveraged by the attacker does not need to be highly privileged or have ECP access,” researchers noted. “In some cases the attackers appear to have been waiting for an opportunity to strike with credentials that had otherwise been of no use.”

Despite these warnings, Rapid7 shows that more than 357,629 Exchange servers remain vulnerable to the attacks that would “allow an attacker to turn any stolen Exchange user account into a complete system compromise. In many implementations, this could be used to completely compromise the entire Exchange environment (including all email) and potentially all of Active Directory.”

Rapid7 leveraged its research tool dubbed Project Sonar to survey the internet for publicly facing Exchange Outlook Web App (OWA) services and found at least 82.5 percent of the observed 433,464 Exchange servers were vulnerable.

Further, researchers believe that some servers marked safe are actually still unpatched, as well.

“Our remote, unauthenticated check doesn’t provide the version precision we’d need in order to be sure and our testing found that the related Microsoft update wasn’t always updating the build number, which leads to a degree of uncertainty,” researchers wrote.

More alarmingly, the researchers found a shocking number of devices that are missing other critical updates. In total, there are more than 31,000 Exchange servers that have not been updated in the last eight years, since 2012. Another 800 Exchange 2010 servers have never been updated.

There are also a “concerning number” of Exchange 2007 and 2010 servers. The 2007 version was transitioned into the End of Support status more than three years ago in April 2017, which means no updates, bug fixes, or other security support measures have been applied since that date.

Exchange 2010 will reach End of Support status on October 13 of this year.

“There are over 166,000 of these servers connected to the internet. That’s a staggering number of enterprise class mail systems that will be unsupported in a few months,” researchers explained.

Organizations must take two critical actions to address the risk posed by these vulnerabilities: the most important is to ensure whether the enterprise’ Exchange servers have been updated. In healthcare, many providers struggle with applying critical patches and other updates, increasing the risk of compromise.

Specifically, the update for CVE-2020-0688 must be installed on any server operating with the Exchange Control Panel (ECP) enabled, such as servers with the Client Access Server (CAS) role that allows users to access the Outlook Web App (OWA).

“The most reliable method to determine whether the update is installed is by checking patch management software, vulnerability management tools, or the hosts themselves to determine whether the appropriate update has been installed,” researchers wrote.

“There are alternative methods for determining which version of software is installed, but you need to keep in mind that they either don’t provide the full build number or, as in the case of the PowerShell command and Exchange Admin Center, do not update the build number to reflect the correct build as shown on the update download page,” they added.

Rapid7 also provided technical remediation efforts to determine whether the enterprise is operating with the impacted software, as well as technical methods to determine whether a system shows signs of compromise.