A security bug in Microsoft Exchange email servers is being exploited by government-backed hacking groups. As Microsoft describes, the CVE-2020-068 is a remote code execution vulnerability that occurs during installation when Microsoft Exchange Server fails to create a unique cryptographic key.
“Knowledge of a validation key allows an authenticated user with a mailbox to pass arbitrary objects to be deserialized by the web application, which runs as SYSTEM.”
What is the CVE-2020-0688 bug
Microsoft Exchange email servers released throughout the last 10 years or so rely on similar cryptographic keys, which play a significant role in the Exchange control panel’s backend. Hence, it becomes easier for attackers to send malicious requests to the Exchange control panel. These requests contain malicious serialized data.
Hackers run malicious code on the Exchange server’s backend as their knowledge of cryptographic keys allows them to ensure that the data is unserialized. This ultimately allows hackers to gain full control over the server since the code runs with SYSTEM privileges. Last month, Microsoft patched the vulnerability.
The attempts to exploit CVE-2020-0688, were made by “all the big players,” ZDNet reports citing a source from DOD. More details such as the name of groups or countries involved in this hack were not immediately available.
Meanwhile, Zero-Day Initiative has published a detailed technical report explaining how the Exchange vulnerability could be exploited by hackers to gain access to mail servers:
“Initially, Microsoft stated this bug was due to a memory corruption vulnerability and could be exploited by a specially crafted email sent to a vulnerable Exchange server.”
“They have since revised their write-up to (correctly) indicate that the vulnerability results from Exchange Server failing to properly create unique cryptographic keys at the time of installation.”
As researchers explain, CVE-2020-0688 is more like a post-authentication bug where hackers need credentials for an email account so that he/she could to run the malicious payload and hijack the victim’s email server.
Though this may not be a straightforward hack per se, however, this could give Advanced Persistent Threat (APT) groups and ransomware attackers all the more reasons to break into Microsoft Exchange servers.