Delaware, USA – February 27, 2020 – Just a day after the publication of technical details about the flaw, adversaries began to actively scan the Internet in search of vulnerable Microsoft Exchange Servers. CVE-2020-0688 is a remote code execution flaw, and the latest Microsoft Patch Tuesday contained an update to fix it. “A remote code execution vulnerability exists in Microsoft Exchange Server when the server fails to properly create unique keys at install time,” Microsoft’s security advisory said. “Knowledge of a validation key allows an authenticated user with a mailbox to pass arbitrary objects to be deserialized by the web application, which runs as SYSTEM. The security update addresses the vulnerability by correcting how Microsoft Exchange creates the keys during install.”
Microsoft did not mark the severity of CVE-2020-0688 as critical, but adversaries can take over the Exchange server if they have credentials of any enterprise user. After that, they will get an entry point to the organization’s network and access corporate email communications. This Tuesday security researcher Simon Zuckerbraun published a detailed report on the CVE-2020-0688 vulnerability and described how to exploit it in attacks targeted at an unpatched server. It is not known who is behind the scans, but the exploitation of this vulnerability will interest both financially-motivated and state-sponsored groups. It is necessary to patch your Exchange Servers as soon as possible. Also, you can use exclusive rule published on Threat Detection Marketplace to spot attempts to exploit this flaw.
CVE-2020-0688: Remote Code Execution on Microsoft Exchange Server Through Fixed Cryptographic Keys – https://tdm.socprime.com/tdm/info/GRtQkopjNbh6/