Very few organizations have applied Microsoft’s patch for a dangerous Exchange email server flaw that was being exploited by multiple state-sponsored hacking groups within weeks of its release, according to new research by security company Rapid7.
The patch arrived in Microsoft’s February 11 Patch Tuesday, accompanied by a warning from Redmond that admins should patch as soon as possible because it anticipated future attacks on the remote code execution vulnerability.
Attackers started scanning the internet for vulnerable Exchange mail servers in late February, following the release of a technical report detailing how the bug worked, which was soon followed by several proof-of-concept exploits and a Metasploit module.
But now, nearly two months on, Rapid7 researchers using the company’s Project Sonar to scan the internet have identified that at least 357,629 Exchange servers are vulnerable to CVE-2020-0688, representing 82.5% of the 433,464 Exchange servers in the scan.
Worryingly, Rapid7’s Tom Sellers notes that the flaw allows attackers to “completely compromise the entire Exchange environment (including all email) and potentially all of Active Directory”, depending on how the server has been implemented.
Given the high value of Exchange environments, security experts fear that the vulnerability could become a favorite for ransomware attackers and a juicy target for APT attackers who can use it to read a company’s email store.
“The update for CVE-2020-0688 needs to be installed on any server with the Exchange Control Panel (ECP) enabled. This will typically be servers with the Client Access Server (CAS) role, which is where your users would access Outlook Web App (OWA),” explained Sellers.
He also advised admins to determine whether attackers have attempted to exploit the Exchange vulnerability. Since attackers are required to have at least one valid credential for an email account on the Exchange server, Sellers notes that any account tied to attempted exploitation should be treated as compromised.
Researchers at Kenna Security ran two analyses of patching rates for the Exchange bug. In the first it estimated that just 15% of vulnerable Exchange servers have been patched. A second analysis using a scan of 22,000 internet-facing Outlook Web Access (OWA) servers found that 74% are vulnerable and 26% were potentially vulnerable.
“Drop everything and patch this vulnerability immediately. At present, this vulnerability presents more risk than most other vulnerabilities in the enterprise environment,” wrote Jonathan Cran, head of research at Kenna Security.
“If patching simply isn’t possible, block access to ECP. Ultimately, vulnerabilities like these make a strong case for upgrading to Office 365.”
Rapid7’s scan also identified over 31,000 Exchange 2010 servers that haven’t been patched since 2012 as well as nearly 800 Exchange 2010 servers that have never been updated.
It also found a high number of Exchange 2007 servers, which haven’t been supported since April 2017, and over 166,000 Exchange 2010 servers connected to the internet, which reach end of support on October 13.
“That’s a staggering number of enterprise-class mail systems that will be unsupported in a few months,” noted Sellers.