A patch has been released for a significant vulnerability in Microsoft Exchange Servers, and firms should update their systems as soon as possible. The vulnerability allows remote code execution and it won’t be long before an exploit is seen in the wild.
What is it?
When it was first identified, the vulnerability (CVE-2020-0688) was thought to be caused by corrupt memory and could be exploited via email. But Microsoft have since revised this opinion to reflect the work of an anonymous researcher, who discovered it was due to the use of fixed cryptographic keys. Essentially, every Microsoft Exchange Server uses the same validation and decryption keys in the web configuration file, meaning the data can be reused from a previously authenticated session. An attacker can then send malicious code as ViewState data - which keeps the page running - which can then be authenticated and run by applications within the ASP.NET framework. This can be leveraged to gain system control access.
What to do now?
A patch has been released to randomly generate keys for each installation of Microsoft Exchange Server and firms should apply it as soon as possible. A proof of concept video has been published, with hackers apparently actively scanning for vulnerable servers – a real world exploit can’t be far behind.
“…if you’re an Exchange Server administrator, you should treat this as a Critical-rated patch and deploy it as soon as your testing is complete. Microsoft lists this with an Exploit Index of 1, which means they expect to see exploits within 30 days of the patch release.”