Threat Signal Report

Attacks Observed in the Wild Exploiting CVE-2020-0688 (Microsoft Exchange Validation Key Remote Code Execution Vulnerability)

Description

FortiGuard Labs is aware of reports of active exploitation of CVE-2020-0688 - Microsoft Exchange Validation Key Remote Code Execution Vulnerability. Active in the wild attacks were first observed by Twitter user Troy Mursch (@bad_packets). The vulnerability was disclosed by an anonymous researcher to the Zero Day Initiative. According to the original February Microsoft Security Advisory for CVE-2020-0688, a remote code execution vulnerability exists in Microsoft Exchange Server when the server fails to properly create unique keys at install time. Knowledge of the validation key allows an authenticated user with a mailbox to pass arbitrary objects to be deserialized by the web application, which runs as SYSTEM.


Essentially, the proof of concept highlights that an attacker who has obtained the active credentials of a Microsoft Exchange user can obtain SYSTEM level privileges via an internet facing application, such as Outlook Web Access (OWA). Because of this vulnerability, the attacker can execute arbritary code remotely on an Exchange server at SYSTEM level; regardless of privileges assigned to the compromised Microsoft Exchange user.


What are the specifics of the vulnerability?

The vulnerability exists in the Exchange Control Panel (ECP) component. In the web.config file of Microsoft Exchange, keys that are installed during run time are static and not randomly generated and contain the same validationKey and decryptionKey across all installations of Microsoft Exchange. Because of the static keys, an attacker can compel the server into deserializing maliciously crafted data, specifically ViewState data; which is server side data that ASP.net applications store on the client machine. Using known open source deserialization tools to perform unsafe deserialization of objects will invoke and can cause .NET code to be executed on the host, in the context of ECP which runs as SYSTEM.


What versions of software are affected?

Microsoft Exchange Server 2010 Service Pack 3 Update Rollup 30

Microsoft Exchange Server 2013 Cumulative Update 23

Microsoft Exchange Server 2016 Cumulative Update 14

Microsoft Exchange Server 2016 Cumulative Update 15

Microsoft Exchange Server 2019 Cumulative Update 3

Microsoft Exchange Server 2019 Cumulative Update 4


Have there been reports of in the wild exploitation?

Yes. Third party researchers have observed active in the wild attacks at this time. Microsoft has not commented publicly confirming this. Attribution is unknown at this time.


Any suggestions or mitigations?

Fortiguard Labs suggests that customers running Microsoft Exchange server apply this month's February 2020 updates as soon as possible. If not possible, it is recommended that external access to web facing applications such as Outlook Web Access is disabled. Administrators should require that all email users within a corporate facing network update their passwords immediately to ensure that potential credentials that may have been leaked elsewhere are no longer valid. It is also suggested that organizations ensure that two factor authentication (2FA) is enabled; as another layer of precaution.


What is the status of AV and IPS coverage?

IPS coverage has been created for CVE-2020-0688 as MS.Exchange.Validation.Key.ViewState.Remote.Code.Execution and was released in IPS definitions version 15.786.

AV coverage is not feasible for this event.


MITRE ATT&CK

Exploit Public-Facing Application

ID: T1190

Tactic: Initial Access


Exploitation for Privilege Escalation

D: T1068

Tactic: Privilege Escalation


Definitions

Traffic Light Protocol

Color When Should it Be used? How may it be shared?

TLP: RED

Not for disclosure, restricted to participants only.
Sources may use TLP:RED when information cannot be effectively acted upon by additional parties, and could lead to impacts on a party's privacy, reputation, or operations if misused. Recipients may not share TLP:RED information with any parties outside of the specific exchange, meeting, or conversation in which it was originally disclosed. In the context of a meeting, for example, TLP:RED information is limited to those present at the meeting. In most circumstances, TLP:RED should be exchanged verbally or in person.

TLP: AMBER

Limited disclosure, restricted to participants’ organizations.
Sources may use TLP:AMBER when information requires support to be effectively acted upon, yet carries risks to privacy, reputation, or operations if shared outside of the organizations involved. Recipients may only share TLP:AMBER information with members of their own organization, and with clients or customers who need to know the information to protect themselves or prevent further harm. Sources are at liberty to specify additional intended limits of the sharing: these must be adhered to.

TLP: GREEN

Limited disclosure, restricted to the community.
Sources may use TLP:GREEN when information is useful for the awareness of all participating organizations as well as with peers within the broader community or sector. Recipients may share TLP:GREEN information with peers and partner organizations within their sector or community, but not via publicly accessible channels. Information in this category can be circulated widely within a particular community. TLP:GREEN information may not be released outside of the community.

TLP: WHITE

Disclosure is not limited.
Sources may use TLP:WHITE when information carries minimal or no foreseeable risk of misuse, in accordance with applicable rules and procedures for public release. Subject to standard copyright rules, TLP:WHITE information may be distributed without restriction.