{
    "file_item": {
        "filepath": "security-advisories",
        "filename": "CERT-EU-SA2020-010.pdf"
    },
    "title": "Microsoft Exchange Server - Remote Code Execution Vulnerability",
    "serial_number": "2020-010",
    "publish_date": "26-02-2020 20:05:00",
    "description": "Microsoft released a fix for a remote code execution vulnerability in Microsoft Exchange (CVE-2020-0688). The vulnerability exists because Exchange fails to create unique cryptographic keys at installation time, leading to all Exchange servers using the same \"validationKey\" and \"decryptionKey\" values.<br><br>Knowledge of a the validation key allows an authenticated user with a mailbox on the server to pass arbitrary objects to be deserialized by the web application. That runs as \"SYSTEM\", leading to remote code execution with the highest privileges.<br><br>On February 25th 2020, Zero Day Initiative released a blog post detailing how to exploit the vulnerability. Any user with an account on an Exchange server can easily exploit the remote code execution vulnerability.<br><br>Some researchers point-out that scanning for vulnerable Exchange servers is ongoing.",
    "url_title": "2020-010",
    "content_markdown": "---\ntitle: 'Microsoft Exchange Server -- Remote\u00a0Code Execution Vulnerability'\nversion: '1.0'\nnumber: '2020-010'\ndate: 'February 26, 2020'\n---\n\n_History:_\n\n* _26/02/2020 --- v1.0 -- Initial publication_\n\n\n# Summary\n\nMicrosoft released a fix for a remote code execution vulnerability in Microsoft Exchange (CVE-2020-0688) [1]. The vulnerability exists because Exchange fails to create unique cryptographic keys at installation time, leading to all Exchange servers using the same `validationKey` and `decryptionKey` values.\n\nKnowledge of a the validation key allows an authenticated user with a mailbox on the server to pass arbitrary objects to be deserialized by the web application. That runs as `SYSTEM`, leading to remote code execution with the highest privileges.\n\nOn February 25th 2020, Zero Day Initiative released a blog post detailing how to exploit the vulnerability [2]. Any user with an account on an Exchange server can easily exploit the remote code execution vulnerability.\n\nSome researchers point-out that scanning for vulnerable Exchange servers is ongoing [3].\n\n# Technical Details\n\nA remote code execution vulnerability exists in Microsoft Exchange due to improper generation of validation and decryption keys during installation.\n\nTo exploit this vulnerability, an attacker would need to authenticate to a Microsoft Exchange Server with a valid account (via Outlook Web Access for example) and extract some parameters from the communication with the server:\n\n * `ViewStateUserKey` and `__VIEWSTATEGENERATOR` from the response of a request sent to `/ecp/default.aspx`,\n * `ASP.NET_SessionId` in the request headers,\n * `validationKey` which is always the same for all vulnerable Exchange servers.\n\nThe attacker can then generate a malicious URL by serializing and URL-encoding a payload using the gathered information. Submitting the URL will trigger a `500 Unexpected Error` but the crafted payload will be executed on the server with `SYSTEM` rights.\n\n# Products Affected\n\n* Microsoft Exchange Server 2010\n* Microsoft Exchange Server 2013\n* Microsoft Exchange Server 2016\n* Microsoft Exchange Server 2019\n\n# Recommendations\n\nApply February 2020 security updates as described by Microsoft advisory [1].\n\nCheck the validation key value on Microsoft Exchange Servers in `web.config`. If the value is equal to `CB2721ABDAF8E9DC516D621D8B8BF13A2C9E8689A25303BF`, the server is vulnerable\n\n# References\n\n[1] <https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-0688>\n\n[2] <https://www.thezdi.com/blog/2020/2/24/cve-2020-0688-remote-code-execution-on-microsoft-exchange-server-through-fixed-cryptographic-keys>\n\n[3] <https://twitter.com/bad_packets/status/1232428319733272579>\n",
    "content_html": "<p><em>History:</em></p><ul><li><em>26/02/2020 --- v1.0 -- Initial publication</em></li></ul><h2 id=\"summary\">Summary</h2><p>Microsoft released a fix for a remote code execution vulnerability in Microsoft Exchange (CVE-2020-0688) [1]. The vulnerability exists because Exchange fails to create unique cryptographic keys at installation time, leading to all Exchange servers using the same <code>validationKey</code> and <code>decryptionKey</code> values.</p><p>Knowledge of a the validation key allows an authenticated user with a mailbox on the server to pass arbitrary objects to be deserialized by the web application. That runs as <code>SYSTEM</code>, leading to remote code execution with the highest privileges.</p><p>On February 25th 2020, Zero Day Initiative released a blog post detailing how to exploit the vulnerability [2]. Any user with an account on an Exchange server can easily exploit the remote code execution vulnerability.</p><p>Some researchers point-out that scanning for vulnerable Exchange servers is ongoing [3].</p><h2 id=\"technical-details\">Technical Details</h2><p>A remote code execution vulnerability exists in Microsoft Exchange due to improper generation of validation and decryption keys during installation.</p><p>To exploit this vulnerability, an attacker would need to authenticate to a Microsoft Exchange Server with a valid account (via Outlook Web Access for example) and extract some parameters from the communication with the server:</p><ul><li><code>ViewStateUserKey</code> and <code>__VIEWSTATEGENERATOR</code> from the response of a request sent to <code>/ecp/default.aspx</code>,</li><li><code>ASP.NET_SessionId</code> in the request headers,</li><li><code>validationKey</code> which is always the same for all vulnerable Exchange servers.</li></ul><p>The attacker can then generate a malicious URL by serializing and URL-encoding a payload using the gathered information. Submitting the URL will trigger a <code>500 Unexpected Error</code> but the crafted payload will be executed on the server with <code>SYSTEM</code> rights.</p><h2 id=\"products-affected\">Products Affected</h2><ul><li>Microsoft Exchange Server 2010</li><li>Microsoft Exchange Server 2013</li><li>Microsoft Exchange Server 2016</li><li>Microsoft Exchange Server 2019</li></ul><h2 id=\"recommendations\">Recommendations</h2><p>Apply February 2020 security updates as described by Microsoft advisory [1].</p><p>Check the validation key value on Microsoft Exchange Servers in <code>web.config</code>. If the value is equal to <code>CB2721ABDAF8E9DC516D621D8B8BF13A2C9E8689A25303BF</code>, the server is vulnerable</p><h2 id=\"references\">References</h2><p>[1] <a rel=\"noopener\" target=\"_blank\" href=\"https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-0688\">https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-0688</a></p><p>[2] <a rel=\"noopener\" target=\"_blank\" href=\"https://www.thezdi.com/blog/2020/2/24/cve-2020-0688-remote-code-execution-on-microsoft-exchange-server-through-fixed-cryptographic-keys\">https://www.thezdi.com/blog/2020/2/24/cve-2020-0688-remote-code-execution-on-microsoft-exchange-server-through-fixed-cryptographic-keys</a></p><p>[3] <a rel=\"noopener\" target=\"_blank\" href=\"https://twitter.com/bad_packets/status/1232428319733272579\">https://twitter.com/bad_packets/status/1232428319733272579</a></p>",
    "licence": {
        "title": "Creative Commons Attribution 4.0 International (CC-BY 4.0)",
        "link": "https://creativecommons.org/licenses/by/4.0/",
        "restrictions": "https://cert.europa.eu/legal-notice",
        "author": "The Cybersecurity Service for the Union institutions, bodies, offices and agencies"
    }
}