On February 11, 2020, Microsoft patched every version of Exchange from 2010 to 2019 to address the CVE-2020-0688 “Validation Key Remote Code Execution” vulnerability. The patch addressed a weakness in the Exchange Control Panel (ECP) which has existed since its introduction in Exchange 2010. In a nutshell, instead of generating random per-installation cryptographic keys to secure communications, Exchange used the same key everywhere.
It’s obviously an embarrassing and worrisome oversight for Microsoft, especially since evidence has emerged that advanced persistent threat (APT) actors have started to probe for vulnerable servers. According to Volexity Threat Research, APTs have exploited the Exchange vulnerability to:
As Volexity point out, the obvious mitigation is to install the patch issued by Microsoft. And after you do that, consider whether you should still need to run Exchange on-premises servers. As I described last week, on-premises Exchange isn’t going away just yet. Some comments I received noted that Exchange servers operate in circumstances where cloud connectivity isn’t possible. But not everyone runs email on a submarine and my feeling is that there’s still a bunch of servers out there that would be better if replaced by Exchange Online.
Think about it this way. How quickly did every on-premises Exchange administrator learn about CVE-2020-0688? And how quickly did they patch all their servers? There’s no doubt that many skilled and experienced administrators immediately understood the importance and consequences of the problem and moved with alacrity to apply the patch. It’s equally doubtless that a bunch of vulnerable and unpatched servers remain in use a month after Microsoft released the patch. The mailboxes hosted by those servers would be much safer in Exchange Online.
It’s not a question of losing control. It’s more like making the most appropriate choice of email service. Those who have the time to keep on top of emerging threat (not only for Exchange, but for the entire IT portfolio) have no issue. They can handle the kind of threat posed by heavy-duty APTs who seek to penetrate and control complete networks. I’m concerned about organizations who don’t have the time, skill, or expertise to combat persistent, ongoing threat.
Exchange Online is usually a better place for those organizations, but only if their Office 365 tenants are managed well. As I describe in this post, APTs will cheerfully penetrate and infest Office 365 too if tenant administrators let their guard down and don’t take steps to use multi-factor authentication and stop using basic authentication. Attackers don’t care if it’s Exchange on-premises or Exchange Online. It’s a network to probe and exploit.
The difference is that when you use Exchange Online, Microsoft does the work to secure mailbox servers. Every single Exchange Online server suffered from the same vulnerability as affected the on-premises servers. It took time to deploy the fixes across the hundreds of thousands of Exchange Online servers, but this task was accomplished without affecting customers or exposing their data to threat.
I’ve worked with Exchange for over 25 years. Events like CVE-2020-0688 bring home the ongoing work needed to keep Exchange servers healthy. Ten years ago, there was no real choice and we all got on with the job of securing servers as best we could. Today, it’s a different matter. Knowing that security professionals who know more than I do and have more time than me to track and manage threat take care of my mailbox is why I use Exchange Online.