Serious Exchange Flaw Still Affects Over 300,000 servers
More than 80 percent of Exchange servers are still vulnerable to a severe vulnerability. The Exchange servers haven't been patched when its been almost two months since the patch was released. The Microsoft Exchange vulnerability was patched in February and has been targeted by several hacking groups. The vulnerability is in the control panel of Exchange, Microsoft’s mail server and calendaring server. The flaw, which stems from the server failing to properly create unique keys at install time, opens servers up to authenticated hackers, who could execute code remotely on them with system privileges.
Researchers used Project Sonar, a scanning tool, to analyze internet-facing Exchange servers to sniff out which were vulnerable to the flaw. Out of 433,464 internet-facing Exchange servers, at least 357,629 were vulnerable. Un-patched servers are currently being exploited by hacking groups. Attacks first started late February. Researchers observed hackers leverage the flaw to run system commands to conduct reconnaissance, deploy webshell backdoors and execute in-memory frameworks post-exploitation.
The patch management issues with Exchange servers goes beyond CVE-2020-0688. Security researcher Tom Sellers found that over 31,000 Exchange 2010 servers have not been updated since 2012. And, there are nearly 800 Exchange 2010 servers that have never been updated. If your organization is using Exchange and you aren't sure whether it has been updated, update them immediately. The updates needs to be installed on any server with the Exchange Control Panel enabled. This will typically be servers with the Client Access Server (CAS) role, which is where your users would access Outlook Web App (OWA).