{
    "file_item": {
        "filepath": "security-advisories",
        "filename": "CERT-EU-SA2020-044.pdf"
    },
    "title": "UPDATE: Remote Code Execution Vulnerability Affecting Microsoft Exchange",
    "serial_number": "2020-044",
    "publish_date": "09-09-2020 09:43:00",
    "description": "On 9th of September 2020, Microsoft released several security advisories, updates, and workarounds to address security vulnerabilities. One of the reported vulnerabilities affects Microsoft Exchange server.<br>Based on the description provided by Microsoft, the vulnerability is due to improper validation of cmdlet arguments. An attacker authenticated with specific Exchange role could run arbitrary code in the context of the System user, leading to a full compromise of the Exchange server.<br>On the 10th of September 2020, Source Incite released details and proof-of-concept for the vulnerability. The vulnerability is due to lack of proper validation of user-supplied data when using the \"New-DlpPolicy\" cmdlet. To exploit this vulnerability, the authenticated attacker needs the *Data Loss Prevention* (DLP) role assigned. This role is usually assigned to administrationa account only, however this type of vulnerabilities trigger high interest for different threat actors and proof-of-concept usually emerges quite quickly after the release of a patch. For this reason, it is highly recommended to patch the exposed Exchange servers as soon as possible.",
    "url_title": "2020-044",
    "content_markdown": "---\ntitle: 'Remote Code Execution Vulnerability Affecting Microsoft Exchange'\nversion: '1.1'\nnumber: '2020-044'\ndate: 'September 14, 2020'\n---\n\n_History:_\n\n* _09/09/2020 --- v1.0 -- Initial publication_\n* _14/09/2020 --- v1.1 -- Update to add PoC and details_\n\n# Summary\n\nOn 9th of September 2020, Microsoft released several security advisories, updates, and workarounds to address security vulnerabilities [1]. One of the reported vulnerabilities affects Microsoft Exchange server [2].\n\nBased on the description provided by Microsoft, the vulnerability is due to improper validation of cmdlet arguments. An attacker authenticated with specific Exchange role could run arbitrary code in the context of the System user, leading to a full compromise of the Exchange server.\n\nOn the 10th of September 2020, Source Incite released details and proof-of-concept for the vulnerability [5]. The vulnerability is due to lack of proper validation of user-supplied data when using the `New-DlpPolicy` cmdlet. To exploit this vulnerability, the authenticated attacker needs the *Data Loss Prevention* (DLP) role assigned. This role is usually assigned to administrationa account only, however this type of vulnerabilities trigger high interest for different threat actors and proof-of-concept usually emerges quite quickly after the release of a patch. For this reason, it is highly recommended to patch the exposed Exchange servers as soon as possible.\n\n# Technical Details\n\nThe vulnerability was assigned *CVE-2020-16875* [4].\n\nThe vulnerability is a remote code execution in Microsoft Exchange server due to improper validation of `New-DlpPolicy` cmdlet arguments. To exploit the vulnerability, an attacker needs the *Data Loss Prevention* (DLP) role assigned to the used account.\n\nTo exploit the vulnerability, tha attacker needs to create a malicious dlp policy (XML format) by injecting a payload in the `commandBlock` sub-element of the `policyCommands` element of the new policy (stored in a `dlpPolicyTemplate` element) and call this created XML using the `New-DlpPolicy` cmdlet.\n\n# Products Affected\n\nThis vulnerability affects the following Microsoft Exchange Server versions:\n\n * Microsoft Exchange Server 2019 before Cumulative Update 5\n * Microsoft Exchange Server 2016 before Cumulative Update 16\n\n# Recommendations\n\nCERT-EU recommends updating Microsoft Exchange Server following Microsoft guidance as soon as possible [3].\n\n# References\n\n[1] <https://portal.msrc.microsoft.com/en-us/security-guidance/releasenotedetail/2020-Sep>\n\n[2] <https://portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2020-16875>\n\n[3] <https://support.microsoft.com/en-us/help/4577352/security-update-for-exchange-server-2019-and-2016>\n\n[4] <https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-16875>\n\n[5] <https://srcincite.io/advisories/src-2020-0019/>\n",
    "content_html": "<p><em>History:</em></p><ul><li><em>09/09/2020 --- v1.0 -- Initial publication</em></li><li><em>14/09/2020 --- v1.1 -- Update to add PoC and details</em></li></ul><h2 id=\"summary\">Summary</h2><p>On 9th of September 2020, Microsoft released several security advisories, updates, and workarounds to address security vulnerabilities [1]. One of the reported vulnerabilities affects Microsoft Exchange server [2].</p><p>Based on the description provided by Microsoft, the vulnerability is due to improper validation of cmdlet arguments. An attacker authenticated with specific Exchange role could run arbitrary code in the context of the System user, leading to a full compromise of the Exchange server.</p><p>On the 10th of September 2020, Source Incite released details and proof-of-concept for the vulnerability [5]. The vulnerability is due to lack of proper validation of user-supplied data when using the <code>New-DlpPolicy</code> cmdlet. To exploit this vulnerability, the authenticated attacker needs the <em>Data Loss Prevention</em> (DLP) role assigned. This role is usually assigned to administrationa account only, however this type of vulnerabilities trigger high interest for different threat actors and proof-of-concept usually emerges quite quickly after the release of a patch. For this reason, it is highly recommended to patch the exposed Exchange servers as soon as possible.</p><h2 id=\"technical-details\">Technical Details</h2><p>The vulnerability was assigned <em>CVE-2020-16875</em> [4].</p><p>The vulnerability is a remote code execution in Microsoft Exchange server due to improper validation of <code>New-DlpPolicy</code> cmdlet arguments. To exploit the vulnerability, an attacker needs the <em>Data Loss Prevention</em> (DLP) role assigned to the used account.</p><p>To exploit the vulnerability, tha attacker needs to create a malicious dlp policy (XML format) by injecting a payload in the <code>commandBlock</code> sub-element of the <code>policyCommands</code> element of the new policy (stored in a <code>dlpPolicyTemplate</code> element) and call this created XML using the <code>New-DlpPolicy</code> cmdlet.</p><h2 id=\"products-affected\">Products Affected</h2><p>This vulnerability affects the following Microsoft Exchange Server versions:</p><ul><li>Microsoft Exchange Server 2019 before Cumulative Update 5</li><li>Microsoft Exchange Server 2016 before Cumulative Update 16</li></ul><h2 id=\"recommendations\">Recommendations</h2><p>CERT-EU recommends updating Microsoft Exchange Server following Microsoft guidance as soon as possible [3].</p><h2 id=\"references\">References</h2><p>[1] <a rel=\"noopener\" target=\"_blank\" href=\"https://portal.msrc.microsoft.com/en-us/security-guidance/releasenotedetail/2020-Sep\">https://portal.msrc.microsoft.com/en-us/security-guidance/releasenotedetail/2020-Sep</a></p><p>[2] <a rel=\"noopener\" target=\"_blank\" href=\"https://portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2020-16875\">https://portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2020-16875</a></p><p>[3] <a rel=\"noopener\" target=\"_blank\" href=\"https://support.microsoft.com/en-us/help/4577352/security-update-for-exchange-server-2019-and-2016\">https://support.microsoft.com/en-us/help/4577352/security-update-for-exchange-server-2019-and-2016</a></p><p>[4] <a rel=\"noopener\" target=\"_blank\" href=\"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-16875\">https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-16875</a></p><p>[5] <a rel=\"noopener\" target=\"_blank\" href=\"https://srcincite.io/advisories/src-2020-0019/\">https://srcincite.io/advisories/src-2020-0019/</a></p>",
    "licence": {
        "title": "Creative Commons Attribution 4.0 International (CC-BY 4.0)",
        "link": "https://creativecommons.org/licenses/by/4.0/",
        "restrictions": "https://cert.europa.eu/legal-notice",
        "author": "The Cybersecurity Service for the Union institutions, bodies, offices and agencies"
    }
}