Threat actors are actively scanning the Internet for Microsoft Exchange servers affected by the CVE-2020-0688 remote code execution flaw that Microsoft has patched two weeks ago.
The vulnerability exists in the Exchange Control Panel (ECP) component and stems from the fact that Exchange Server fails to properly create unique cryptographic keys at the time of installation. This flaw allows a remote, authenticated attacker to execute arbitrary code with SYSTEM privileges on a server and fully compromise it.
«The nature of the bug is quite simple. Instead of having randomly-generated keys on a per-installation basis, all installations of Microsoft Exchange Server have the same validationKey and decryptionKey values in web.config. These keys are used to provide security for ViewState. ViewState is server-side data that ASP.NET web applications store in serialized format on the client. The client provides this data back to the server via the __VIEWSTATE request parameter», explained Simon Zuckerbraun from Zero Day Initiative in a technical report describing the inner workings of the vulnerability.
The researcher also provided a demo on how to exploit the above mentioned flaw and how to use the fixed cryptographic keys as part of an attack against an unpatched server.
Now security researcher Kevin Beaumont reported mass scanning for the CVE-2020-0688 (Microsoft Exchange 2007+ RCE vulnerability).
To exploit this issue attackers only have to find an Exchange server exposed online, search for email addresses they collect from the Outlook Web Access (OWA) portal URL, and use data from previous data breaches to perform credential stuffing attack. Once logged in to server, they can gain full control of the targeted server by exploiting CVE-2020-0688, BleepingComputer explains.
According to Beaumont, the process could be automated with the help of open tools available online, and these tools are currently actively used by malicious actors in the wild.
“There are open source tools which take the input of a company page on LinkedIn, dump all the employee names then hammer Outlook Web App with authentication attempts via credential stuffing. These tools are used in active attacks, to gain OWA and ECP access,” Beaumont said.
Since there is no workaround currently available, the researchers urge administrators to patch their servers before attackers could spot them and exploit the CVE-2020-0688 flaw.