virus logo Threat Signal Report

Attacks Observed in the Wild Exploiting CVE-2020-0688 (Microsoft Exchange Validation Key Remote Code Execution Vulnerability)

Description

FortiGuard Labs is aware of reports of active exploitation of CVE-2020-0688 - Microsoft Exchange Validation Key Remote Code Execution Vulnerability. Active in the wild attacks were first observed by Twitter user Troy Mursch (@bad_packets). The vulnerability was disclosed by an anonymous researcher to the Zero Day Initiative. According to the original February Microsoft Security Advisory for CVE-2020-0688, a remote code execution vulnerability exists in Microsoft Exchange Server when the server fails to properly create unique keys at install time. Knowledge of the validation key allows an authenticated user with a mailbox to pass arbitrary objects to be deserialized by the web application, which runs as SYSTEM.


Essentially, the proof of concept highlights that an attacker who has obtained the active credentials of a Microsoft Exchange user can obtain SYSTEM level privileges via an internet facing application, such as Outlook Web Access (OWA). Because of this vulnerability, the attacker can execute arbritary code remotely on an Exchange server at SYSTEM level; regardless of privileges assigned to the compromised Microsoft Exchange user.


What are the specifics of the vulnerability?

The vulnerability exists in the Exchange Control Panel (ECP) component. In the web.config file of Microsoft Exchange, keys that are installed during run time are static and not randomly generated and contain the same validationKey and decryptionKey across all installations of Microsoft Exchange. Because of the static keys, an attacker can compel the server into deserializing maliciously crafted data, specifically ViewState data; which is server side data that ASP.net applications store on the client machine. Using known open source deserialization tools to perform unsafe deserialization of objects will invoke and can cause .NET code to be executed on the host, in the context of ECP which runs as SYSTEM.


What versions of software are affected?

Microsoft Exchange Server 2010 Service Pack 3 Update Rollup 30

Microsoft Exchange Server 2013 Cumulative Update 23

Microsoft Exchange Server 2016 Cumulative Update 14

Microsoft Exchange Server 2016 Cumulative Update 15

Microsoft Exchange Server 2019 Cumulative Update 3

Microsoft Exchange Server 2019 Cumulative Update 4


Have there been reports of in the wild exploitation?

Yes. Third party researchers have observed active in the wild attacks at this time. Microsoft has not commented publicly confirming this. Attribution is unknown at this time.


Any suggestions or mitigations?

Fortiguard Labs suggests that customers running Microsoft Exchange server apply this month's February 2020 updates as soon as possible. If not possible, it is recommended that external access to web facing applications such as Outlook Web Access is disabled. Administrators should require that all email users within a corporate facing network update their passwords immediately to ensure that potential credentials that may have been leaked elsewhere are no longer valid. It is also suggested that organizations ensure that two factor authentication (2FA) is enabled; as another layer of precaution.


What is the status of AV and IPS coverage?

IPS coverage has been created for CVE-2020-0688 as MS.Exchange.Validation.Key.ViewState.Remote.Code.Execution and was released in IPS definitions version 15.786.

AV coverage is not feasible for this event.


MITRE ATT&CK

Exploit Public-Facing Application

ID: T1190

Tactic: Initial Access


Exploitation for Privilege Escalation

D: T1068

Tactic: Privilege Escalation

Appendix

Bad Packets Twitter

Microsoft Security Advisory for CVE-2020-0688

Zero Day Initiative Blog on CVE-2020-0688


ID 7
Date Feb 26, 2020
Threat/
Vulnerability		 CVE-2020-0688
Threat Actor Type N/A
Experienced a Breach? We're here to help FortiGuard Incident Response Services
FortiGuard Incident Response Services