Cybersecurity News

61% Microsoft Exchange Servers Are Unpatched, Vulnerable to Attack

Months after Microsoft released a software update for a memory corruption vulnerability found in its Exchange Servers, Rapid7 reports the majority remain unpatched and vulnerable to attack.

healthcare endpoint vulnerabilities Microsoft Exchange Server risk management cybersecurity malware threat landscape

By Jessica Davis

- The majority of Microsoft Exchange Servers have yet to be updated with a patch for a critical memory corruption vulnerability reported earlier this year, according to Rapid7. These unpatched servers are highly vulnerable to attack. 

About eight months ago, Microsoft released a software update for CVE-2020-0688: a vulnerability found in the Exchange mail and calendaring control panel that fails to properly create unique keys during installation. With knowledge of the validation key, an authenticated user with a mailbox can employ “arbitrary objects to be deserialized by the web application, which runs as SYSTEM.” 

At the time, the tech giant, the National Security Agency, and the Department of Homeland Security warned the vulnerability was an attractive target for hackers as a successful exploit would allow them to take control of the victim’s system. 

In March, DHS warned hackers were actively targeting unpatched systems. Threat actors were observed exploiting the flaw to run system commands for reconnaissance, deploy web shell backdoor access through Microsoft Outlook on the web (OWA), and execute in-memory post-exploitation frameworks. 

By April, 82 percent of these vulnerable servers had yet to be patched, Rapid7 found. Two months later, Microsoft again urged organizations to patch this critical flaw, which advanced persistent threat (APT) actors continued to successfully target and exploit. 

Eight months after these reports, Rapid7 sought to determine whether organizations have heeded these warnings and surveyed the internet using Project Sonar to scan publicly facing Exchange OWA services. 

They found just 20 percent were updated during that time: Currently, 61 percent of Microsoft Exchange Servers remain unpatched. Researchers are concerned, “not just because of the number of servers missing the update for CVE-2020-0688, but also because of how many other updates are also missing.” 

In light of the risks and continued slow pace of patching, Rapid7 is once again urging organizations to apply the software update. Entities must not only verify the software update has been deployed on these endpoints, but also check for signs of compromise. 

The update will need to be installed on any server with the Exchange Control Server enabled, which are typically servers with the Client Access Server (CAS) role and where users access the OWA. 

“The most reliable method to determine whether the update is installed is by checking patch management software, vulnerability management tools, or the hosts themselves to determine whether the appropriate update has been installed,” researchers explained. 

“Note that these tools will likely not indicate that the update is missing if the Exchange Server isn't running a current version of the Exchange Cumulative Update or Rollup. These servers are still vulnerable,” they continued. 

Administrators should check for indicators of compromise in the Windows Application event log with source MSExchange Control Panel, level Error, and event ID 4, which is where exploit attempts are revealed. 

Researchers noted administrators may see portions of the encoded payload in the log entry that “will include the compromised user account, as well as a very long error message that includes the text Invalid viewstate.” 

It’s imperative for healthcare organizations to immediately apply the software update, given the heightened threat landscape amid COVID-19Ransomware threat actors commonly exploit vulnerabilities to gain a foothold onto a network and propagate across the network. 

Further, Palo Alto Networks’ Unit 42 recently observed the malware variant Lucifer targeting a wide range of unpatched, high and critical Windows vulnerabilities for both denial-of-service attacks and cryptojacking.