CVE-2020-0688: 
vulnerability analysis and mitigation

A remote code execution vulnerability (CVE-2020-0688) was discovered in Microsoft Exchange Server's Exchange Control Panel (ECP) component. The vulnerability was disclosed on February 11, 2020, affecting all versions of Microsoft Exchange Server due to the software's failure to properly handle objects in memory. The vulnerability exists because all Exchange Servers had the same validation key and validation algorithm in the web.config file until the patch was released (TrustedSec Blog, ZDI Advisory).

The vulnerability exists in the Exchange Control Panel (ECP) web application where the product fails to generate a unique cryptographic key at installation, resulting in deserialization of untrusted data. The flaw received a CVSS score of 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H), indicating its high severity. The vulnerability allows attackers to exploit the serialized VIEWSTATE parameter containing an embedded command, signed with the valid key. After receiving the malicious payload, the server deserializes the VIEWSTATE data and executes code as SYSTEM (ZDI Advisory, TrustedSec Blog).

The vulnerability allows authenticated attackers to execute arbitrary code in the context of SYSTEM on affected Microsoft Exchange Server installations. This could potentially lead to complete compromise of the entire Exchange environment, including all email, and possibly the entire Active Directory (TrustedSec Blog).

Microsoft released security updates to address this vulnerability in February 2020. Organizations should verify the deployment of appropriate updates listed in the Microsoft advisory. The vulnerability affects the Exchange Control Panel (ECP) component, particularly on servers with the Client Access Server (CAS) role where users access the Outlook Web App (OWA) (TrustedSec Blog).

A global survey conducted using Project Sonar revealed that as of March 24, 2020, over 350,000 Exchange servers (82.5% of observed servers) were still vulnerable to this exploit. The survey also uncovered concerning statistics about unpatched Exchange servers, including over 31,000 Exchange 2010 servers that had not been updated since 2012 (Rapid7 Blog).