All versions of Microsoft Exchange Server are vulnerable to CVE-2020-0688; exploit now available

Through the Zero Day Initiative (ZDI) vulnerability disclosure platform, a web application security specialist reported a critical security flaw in all versions of Microsoft Exchange Server that are currently supported. If exploited, the vulnerability would allow threat actors to falsify corporate email communications at will. The flaw was tracked as CVE-2020-0688.

The report was submitted to ZDI by an anonymous investigator. However, technical details about the exploit have been leaked on the Internet, so malicious hacker groups could start exploiting this flaw in the wild, exposing millions of users. Microsoft has released a security alert to ask users to install security patches, released a few days ago.

Update patches for this vulnerability were released from February 18 as part of Microsoft’s monthly update package for February. However, this does not mean that all affected organizations install them immediately, since updates are sometimes deferred to avoid long periods of inactivity or unforeseen side effects, so thousands of implementations could remain exposed.

Even though anonymous web application security mentioned that exploiting requires user authentication, there are multiple methods to extract login credentials from a target user, so this is a minor setback. In addition, the report specifies that companies that present Exchange directly to the Internet are most at risk.

Apparently, the flaw resides in the Exchange Control Panel component and exists because of a quite simple reason: Instead of having randomly generated keys for each installation, all Exchange Server installations have the same validationKey and decryptionKey values in web.config.

These keys are used to provide security to ViewState, which is the server-side data that web applications ASP.NET stored in serialized format on the client. The client returns this data to the server using the _VIEWSTATE parameter. Due to the use of static keys, an authenticated hacker can trick the server into deserializing ViewState data created for malicious purposes.

International Institute of Cyber Security (IICS) web application security specialists recommend that administrators of exposed deployments patch their systems as soon as possible.