An analysis of public-facing Exchange servers by Rapid7 has revealed 82.5% are still vulnerable to a critical remote code execution vulnerability in the Exchange Control Panel (ECP) that Microsoft released a patch for on February 2020 Patch Tuesday. While the vulnerability can only be exploited post-authorization, all an attacker would need to exploit the flaw is previously compromised email credentials. One successful phishing attack on an organization could provide those credentials.
When Microsoft released a patch for the vulnerability – tracked as CVE-2020-0688 – the flaw was given an Exploitation More Likely rating, but even though the flaw will be attractive to hackers, patching has been slow. According to Rapid7’s Project Sonar internet survey tool, there are 433,464 public-facing Exchange Servers and more than 357,000 have still not been patched.
There are no mitigations or workarounds that can protect against exploitation of the vulnerability so the only option available to Exchange administrators is to apply the patch. As Rapid7 explained, if the flaw is exploited, the entire Exchange environment could be compromised, and potentially all of Active Directory.
Considering the amount of time that has passed since the patch was released, it is no longer just a case of applying the update. Exchange administrators will also need to investigate to determine whether the vulnerability has already been exploited.
First, Exchange administrators need to check to see if the update has been applied. The patch will need to be applied on all servers with Exchange Control Panel (ECP) enabled.
It should be possible to identify attempts to exploit the vulnerability by checking Windows Event Log and the IIS logs on patched and unpatched servers. “The exploit attempts show up in the Windows Application event log with source MSExchange Control Panel, level Error, and event ID 4. This log entry will include the compromised user account as well as a very long error message that includes the text Invalid viewstate, 2 explained Rapid7. “You can also review your IIS logs for requests to a path under /ecp (usually /ecp/default.aspx), which contain the string __VIEWSTATE and __VIEWSTATEGENERATOR.” If the logs reveal there have been attempts to exploit the vulnerability, it should be assumed that the associated email accounts have been compromised.
While it is concerning that the flaw has not yet been patched on so many Exchange servers, more worrying still was the discovery that there are more than 31,000 publicly-facing Exchange 2010 servers that have not been updated since 2012, and 800 active Exchange servers that have never received an update. Further, 10,731 Exchange 2007 servers were identified even though support ended in April 2017.