Shulou(Shulou.com)06/01 Report--

Today, I will talk to you about how to understand Microsoft Exchange remote code execution vulnerabilities, which may not be well understood by many people. in order to make you understand better, the editor has summarized the following for you. I hope you can get something according to this article.

0x00 vulnerability background

On February 26th, 2020, 360CERT monitored the remote code execution vulnerability (CVE-2020-0688) in Microsoft Exchange Server released by Microsoft on February 11, 2020. Details of the vulnerability have been made public on the Internet.

0x01 risk rating

360CERT judges this security update

The evaluation method, the threat level, seriously affects a wide range of areas.

360CERT determined that the vulnerabilities targeted by this security update have a wide range of impact. It is recommended that the majority of users install Microsoft Exchange patches in time to avoid attacks.

0x02 vulnerability details

The flaw is due to the use of static keys (validationKey and decryptionKey) in the Exchange Control Panel (ECP) component.

All Microsoft Exchange Server have the same validationKey and decryptionKey in the installed web.config file. These keys are used to ensure the security of ViewState. ViewState is the server-side data stored on the client by ASP.NET Web applications in a serialized format. The client returns this data to the server through the _ _ VIEWSTATE request parameter.

An authenticated attacker can collect ViewStateUserKey from the authenticated session and get _ _ VIEWSTATEGENERATOR in the original response to the login request. These two values allow you to use the YSoSerial.net tool to generate malicious ViewState to execute arbitrary .NET code in ECP. Because the ECP application runs with SYSTEM privileges, an attacker who successfully exploits this vulnerability can execute arbitrary code as SYSTEM and take full control of the target Exchange server.

0x03 affects version

Microsoft Exchange Server 2010 Service Pack 3 Update Rollup 30

Microsoft Exchange Server 2013 Cumulative Update 23

Microsoft Exchange Server 2016 Cumulative Update 14

Microsoft Exchange Server 2016 Cumulative Update 15

Microsoft Exchange Server 2019 Cumulative Update 3

Microsoft Exchange Server 2019 Cumulative Update 4

0x04 repair recommendation

360CERT recommends that users install the official patch in time to upgrade the application to the latest version to complete the bug fix:

Https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-0688

0x05 related spatial surveying and mapping data

Through surveying and mapping the assets of the whole network, it is found that Microsoft Exchange is widely used in China. The specific distribution is shown in the following figure.

0x06 product side solution 360city-level network security monitoring service

The QUAKE asset mapping platform of the security brain monitors such loopholes / events by means of asset mapping technology, and users are asked to contact the relevant product area leaders to obtain the corresponding products.

After reading the above, do you have any further understanding of how to understand Microsoft Exchange remote code execution vulnerabilities? If you want to know more knowledge or related content, please follow the industry information channel, thank you for your support.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.