MS Exchange RCE Vulnerability Threat Intelligence Advisory

Summary

CloudSEK threat intelligence advisory on MS Exchange RCE vulnerability, dubbed CVE-2020-16875, that allows attackers highest user privileges.
Advisory Type
Vulnerability Intelligence 
Vulnerability Type
Remote Code Execution
CVE
CVE-2020-16875
Platform
Microsoft Exchange Server, On-premise/Cloud
CVSS
9.1
  A Remote Code Execution vulnerability (RCE) in the Microsoft Exchange server impacts Software-as-a-Service (SaaS) providers as well as on-premise instances of Exchange servers. An Exchange server, like any other Microsoft product, supports Powershell and uses the Powershell Remoting interface to expose functionalities to users and administrators. The critical flaw is reportedly present in one of the Powershell commandlet (cmdlet is a lightweight command executed in the Powershell environment) which allows the command provided by the attacker to run on the target server with high privileges. The vulnerable cmdlet is New-DlpPolicy and the class that handles this cmdlet can be found at Microsoft.Exchange.MessagingPolicies.CompliancePrograms.Tasks.NewDlpPolicy without C:\ProgramFiles\Microsoft\ExchangeServer\V15\Bin\Microsoft.Exchange.Management.dll library. The New-DlpPolicy cmdlet lets users create a new DLP policy (data loss prevention) with template data supplied by the user without proper validation in place, allowing malicious users to craft template data with system commands leading to an RCE. This can be exploited via the Exchange Control Panel (ECP) and the PS-Remoting interface. An attack via the ECP can make use of HTTPS, making it easier to craft exploit modules in metasploit, already available in the wild.  

Impact

  • Attackers can execute commands (with the highest privilege) on the target system.
  • Corporate email accounts will face the risk of compromise.
  • Compromised email accounts can be used in phishing campaigns.
  • RCE will give the attackers ability to leave backdoors on the servers.
  • Attackers can further the attack deeper into internal networks using the compromised server as a pivot.
 

Mitigation

  • Patch Bypass - Security researchers were able to bypass the patch meant for CVE-2020-16875. The first patch bypass is dubbed CVE-2020-171324. Later a bypass for 171324 was discovered, and now, a final patch is required  to address the two other bypasses.
  https://support.microsoft.com/en-gb/help/4593465/description-of-the-security-update-for-microsoft-exchange-server-2019 https://msrc.microsoft.com/update-guide/vulnerability/CVE-2020-17132

Table of Contents

Request an easy and customized demo for free