www.belgium.be Logo of the federal government

Microsoft Exchange Validation Key Remote Code Execution Vulnerability

Reference: 
Advisory #2020-005
Version: 
1.0
Affected software: 
Microsoft Exchange
Type: 
Remote Code Execution (RCE)
CVE/CVSS: 
Date: 
27/02/2020

Sources

https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-0688

https://www.zerodayinitiative.com/advisories/ZDI-20-258/

Risks

This vulnerability allows remote attackers to execute arbitrary code on affected installations of Microsoft Exchange Server. Authentication is required to exploit this vulnerability.

Description

A remote code execution vulnerability exists for the Microsoft Exchange software where the software fails to properly handle objects in memory ('Microsoft Exchange Memory Corruption Vulnerability').

This specific flaw exists within the Exchange Control Panel web application. The product fails to generate a unique cryptographic key at installation, which can result in deserialization of untrusted data. An attacker can leverage this vulnerability to execute code in the context of SYSTEM.

Recommended Actions

Microsoft released patches for the different versions of Microsoft Exchange affected by this vulnerability. CERT.be recommends installing these patches as soon as possible after proper testing. The patches are available here.