Thousands of Exchange Servers Still Lack Critical PatchRapid7 Researcher Calls Upatched Microsoft Servers 'Dangerous as Hell'
Eight months after Microsoft issued a critical security update fixing a remote code execution flaw in Exchange Server, more than half of these mail servers in use remain vulnerable to exploits, according to the security firm Rapid7.
Rapid7 conducted a study in mid-September of more than 405,000 internet-facing servers running the Exchange Client Access Server service for Exchange 2010, 2013, 2016 and 2019 and found 61% were still vulnerable to being exploited by the flaw, which is tracked as CVE-2020-0688.
Tom Sellers, principal security researcher at Rapid7 Labs, urges organizations to check if the patch has been implemented and apply an update if needed.
"This is dangerous as hell and there is a reliable Metasploit module for it," Sellers noted.
Speaking of Exchange, we took another look at Exchange CVE-2020-0688 (any user -> SYSTEM on OWA).— Tom Sellers (@TomSellers) September 29, 2020
It's STILL 61% unpatched.
This is dangerous as hell and there is a reliable Metasploit module for it.
See the UPDATED information on the ORIGINAL blog:https://t.co/DclWb3T0mZ
Sellers notes the update needs to be installed on any server with the Exchange Control Panel enabled. This will typically be servers with the Client Access Server role, which is where users would access the Outlook Web App.
The security flaw is a remote code vulnerability that exists in Exchange Server when the server fails to properly create unique keys at install time. Microsoft says the security update addresses the vulnerability by correcting how Exchange creates the keys during install.
Rapid7 noted in an April report that patching was going slowly, with only 20% of vulnerable servers having been updated one month after the fix was issued (see: Microsoft Exchange: 355,000 Servers Lack Critical Patch).
Importance of Patching
Chris Yule, director of the threat research capability at cybersecurity firm Secureworks, says nation-state attackers and crime gangs continue to scan for these types of vulnerabilities.
"Almost every incident, whether it's post-intrusion ransomware or something else, will start with a software vulnerability," Yule said in a presentation on Thursday at the ScotSoft conference in Edinburgh, Scotland, which was held virtually.
Yule highlighted four vulnerabilities as being among most targeted over the past year:
- CVE-2020-0688: A Microsoft Exchange validation key remote-code execution flaw;
- CVE-2019-1978: A Citrix Nescaler ADC directory traversal flaw;
- CVE-2019-11510: A Pulse Connect Secure VPN flaw;
- CVE-2019-0604: A Microsoft SharePoint remote-code execution flaw.
Microsoft Weighs In
In June, Microsoft tried to jump-start the patching process with a post from its Defender ATP Research Team imploring Exchange Server operators to implement the fix. It noted that any threat or vulnerability affecting Exchange servers should be treated with the highest priority because these servers typically contain critical business data as well as highly privileged accounts that attackers attempt to compromise to gain admin rights to the server and, consequently, complete control of the network.
"If compromised, Exchange servers provide a unique environment that could allow attackers to perform various tasks using the same built-in tools or scripts that admins use for maintenance. This is exacerbated by the fact that Exchange servers have traditionally lacked anti-virus solutions, network protection, the latest security updates and proper security configuration, often intentionally, due to the misguided notion that these protections interfere with normal Exchange functions," according to Microsoft.
Executive Editor Mathew Schwartz contributed to this report.