Threat actors are actively scanning the Internet for Microsoft Exchange servers affected by the CVE-2020-0688 remote code execution flaw that Microsoft has patched two weeks ago.
The vulnerability exists in the Exchange Control Panel (ECP) component and stems from the fact that Exchange Server fails to properly create unique cryptographic keys at the time of installation. This flaw allows a remote, authenticated attacker to execute arbitrary code with SYSTEM privileges on a server and fully compromise it.
«The nature of the bug is quite simple. Instead of having randomly-generated keys on a per-installation basis, all installations of Microsoft Exchange Server have the same validationKey and decryptionKey values in web.config. These keys are used to provide security for ViewState. ViewState is server-side data that ASP.NET web applications store in serialized format on the client. The client provides this data back to the server via the __VIEWSTATE request parameter», explained Simon Zuckerbraun from Zero Day Initiative in a technical report describing the inner workings of the vulnerability.
The researcher also provided a demo on how to exploit the above mentioned flaw and how to use the fixed cryptographic keys as part of an attack against an unpatched server.
Now security researcher Kevin Beaumont reported mass scanning for the CVE-2020-0688 (Microsoft Exchange 2007+ RCE vulnerability).
To exploit this issue attackers only have to find an Exchange server exposed online, search for email addresses they collect from the Ou ..
Support the originator by clicking the read the rest link below.
