Microsoft Exchange Validation Key Remote Code Execution Vulnerability
- CVE-2020-0688 - 8.8
Sources
https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-0688
https://www.zerodayinitiative.com/advisories/ZDI-20-258/
Risks
This vulnerability allows remote attackers to execute arbitrary code on affected installations of Microsoft Exchange Server. Authentication is required to exploit this vulnerability.
Description
A remote code execution vulnerability exists for the Microsoft Exchange software where the software fails to properly handle objects in memory ('Microsoft Exchange Memory Corruption Vulnerability').
This specific flaw exists within the Exchange Control Panel web application. The product fails to generate a unique cryptographic key at installation, which can result in deserialization of untrusted data. An attacker can leverage this vulnerability to execute code in the context of SYSTEM.
Recommended Actions
Microsoft released patches for the different versions of Microsoft Exchange affected by this vulnerability. CERT.be recommends installing these patches as soon as possible after proper testing. The patches are available here.