Through the Zero Day Initiative (ZDI) vulnerability disclosure platform, a web application security specialist reported a critical security flaw in all versions of Microsoft Exchange Server that are currently supported. If exploited, the vulnerability would allow threat actors to falsify corporate email communications at will. The flaw was tracked as CVE-2020-0688.
The report was submitted to ZDI by an anonymous investigator. However, technical details about the exploit have been leaked on the Internet, so malicious hacker groups could start exploiting this flaw in the wild, exposing millions of users. Microsoft has released a security alert to ask users to install security patches, released a few days ago.
Update patches for this vulnerability were
released from February 18 as part of Microsoft’s monthly update package for February.
However, this does not mean that all affected organizations install them
immediately, since updates are sometimes deferred to avoid long periods of
inactivity or unforeseen side effects, so thousands of implementations could
Even though anonymous web application security
mentioned that exploiting requires user authentication, there are multiple
methods to extract login credentials from a target user, so this is a minor
setback. In addition, the report specifies that companies that present Exchange
directly to the Internet are most at risk.
Apparently, the flaw resides in the Exchange
Control Panel component and exists because of a quite simple reason: Instead of
having randomly generated keys for each installation, all Exchange Server
installations have the same validationKey and decryptionKey values in web.config.
These keys are used to provide security to
ViewState, which is the server-side data that web applications ASP.NET stored
in serialized format on the client. The client returns this data to the server
using the _VIEWSTATE parameter. Due to the use of static
keys, an authenticated hacker can trick the server into deserializing ViewState
data created for malicious purposes.
International Institute of Cyber Security
(IICS) web application
security specialists recommend that administrators of exposed deployments patch
their systems as soon as possible.