Coming Soon: GET:IT Endpoint Management 1-Day Conference on September 28th at 9:30 AM ET Coming Soon: GET:IT Endpoint Management 1-Day Conference on September 28th at 9:30 AM ET
Exchange 2010|Exchange 2013|Exchange 2016|Exchange 2019|Exchange Online|Exchange Server|Office|Office 365

CVE-2020-0688 Puts Focus on Exchange On-Premises Vulnerabilities

Patches Available to Address Long-term Vulnerability

On February 11, 2020, Microsoft patched every version of Exchange from 2010 to 2019 to address the CVE-2020-0688 “Validation Key Remote Code Execution” vulnerability. The patch addressed a weakness in the Exchange Control Panel (ECP) which has existed since its introduction in Exchange 2010. In a nutshell, instead of generating random per-installation cryptographic keys to secure communications, Exchange used the same key everywhere.

Bad Guys Busy Looking for Exchange Server Targets

It’s obviously an embarrassing and worrisome oversight for Microsoft, especially since evidence has emerged that advanced persistent threat (APT) actors have started to probe for vulnerable servers. According to Volexity Threat Research, APTs have exploited the Exchange vulnerability to:

  • Run system commands to conduct reconnaissance. In other words, snoop around the organization to find if any other weaknesses exist and what information can be gathered to help them execute an attack.
  • Deploy webshell backdoor accessible via OWA. Attackers use backdoors to retain access to penetrated systems when the original weakness is closed.
  • Execute in-memory post-exploitation frameworks that attackers can leverage in the future.

As Volexity point out, the obvious mitigation is to install the patch issued by Microsoft. And after you do that, consider whether you should still need to run Exchange on-premises servers. As I described last week, on-premises Exchange isn’t going away just yet. Some comments I received noted that Exchange servers operate in circumstances where cloud connectivity isn’t possible. But not everyone runs email on a submarine and my feeling is that there’s still a bunch of servers out there that would be better if replaced by Exchange Online.

Speed to Fix Deflects Attackers

Think about it this way. How quickly did every on-premises Exchange administrator learn about CVE-2020-0688? And how quickly did they patch all their servers? There’s no doubt that many skilled and experienced administrators immediately understood the importance and consequences of the problem and moved with alacrity to apply the patch. It’s equally doubtless that a bunch of vulnerable and unpatched servers remain in use a month after Microsoft released the patch. The mailboxes hosted by those servers would be much safer in Exchange Online.

Sponsored Content

Say Goodbye to Traditional PC Lifecycle Management

Traditional IT tools, including Microsoft SCCM, Ghost Solution Suite, and KACE, often require considerable custom configurations by T3 technicians (an expensive and often elusive IT resource) to enable management of a hybrid onsite + remote workforce. In many cases, even with the best resources, organizations are finding that these on-premise tools simply cannot support remote endpoints consistently and reliably due to infrastructure limitations.

It’s not a question of losing control. It’s more like making the most appropriate choice of email service. Those who have the time to keep on top of emerging threat (not only for Exchange, but for the entire IT portfolio) have no issue. They can handle the kind of threat posed by heavy-duty APTs who seek to penetrate and control complete networks. I’m concerned about organizations who don’t have the time, skill, or expertise to combat persistent, ongoing threat.

Office 365 Can be Vulnerable Too

Exchange Online is usually a better place for those organizations, but only if their Office 365 tenants are managed well. As I describe in this post, APTs will cheerfully penetrate and infest Office 365 too if tenant administrators let their guard down and don’t take steps to use multi-factor authentication and stop using basic authentication. Attackers don’t care if it’s Exchange on-premises or Exchange Online. It’s a network to probe and exploit.

The difference is that when you use Exchange Online, Microsoft does the work to secure mailbox servers. Every single Exchange Online server suffered from the same vulnerability as affected the on-premises servers. It took time to deploy the fixes across the hundreds of thousands of Exchange Online servers, but this task was accomplished without affecting customers or exposing their data to threat.

Time to Change

I’ve worked with Exchange for over 25 years. Events like CVE-2020-0688 bring home the ongoing work needed to keep Exchange servers healthy. Ten years ago, there was no real choice and we all got on with the job of securing servers as best we could. Today, it’s a different matter. Knowing that security professionals who know more than I do and have more time than me to track and manage threat take care of my mailbox is why I use Exchange Online.


Don't have a login but want to join the conversation? Sign up for a Petri Account

Comments (0)

Leave a Reply

Tony Redmond has written thousands of articles about Microsoft technology since 1996. He covers Office 365 and associated technologies for and is also the lead author for the Office 365 for IT Pros eBook, updated monthly to keep pace with change in the cloud.
Live Webinar: Active Directory Security: What Needs Immediate Priority!Live on Tuesday, October 12th at 1 PM ET

Attacks on Active Directory are at an all-time high. Companies that are not taking heed are being punished, both monetarily and with loss of production.

In this webinar, you will learn:

  • How to prioritize vulnerability management
  • What attackers are leveraging to breach organizations
  • Where Active Directory security needs immediate attention
  • Overall strategy to secure your environment and keep it secured

Sponsored by: