Daniel Timofte
Security Research Engineer

Microsoft Exchange Flaw CVE-2020-0688 Still Affecting 130K Public-Facing Servers

March 23, 2020 by Daniel Timofte

It has been more than one month since the Microsoft Exchange Fixed Cryptographic Keys vulnerability (CVE-2020-0688) has been patched and, according to Kenna Security’s study, only 15% of the publicly exposed servers have been patched.

The flaw resides in the reuse of the same cryptographic keys when storing client-side data, a feature known in ASP.NET as ‘ViewState’. After retrieving client-side encrypted content, the server attempts to deserialize it, assuming the data hasn’t been tampered with due to the encryption. An attacker may take advantage by using the same keys to provide payloads embedding property-oriented programming "gadget chains" (present in common .NET libraries), to achieve code execution — once again, implementing cryptography in a safe manner proves not to be an easy task to perform.


Use of hardcoded cryptographic primitives

The only requirement that keeps script kiddies away, as lots of proofs of concept are now available, is the authenticated precondition to exploit the vulnerability and the use of two-factor authentication (2FA). However, this is a no brainer for APT groups that are actively attacking vulnerable targets, given the prevalence of leaked passwords and credential databases.

Here at Ixia’s Application and Threat Intelligence Research Center, we’ve detected numerous scans and fingerprinting requests in the past month coming from cloud-based servers, a sign that attackers are out there, doing their thing.


Fingerprinting scans hitting our honeypots

We also have developed a strike for CVE-2020-0688 that simulates the attack that will be available to our customers starting with the BreakingPoint ATI 2020-05 Strikepack. 


Ixia's Application and Threat Intelligence (ATI) Subscription provides bi-weekly updates of the latest application protocols and vulnerabilities for use with Ixia test platforms. The ATI Research Center continuously monitors threats as they appear in the wild. Customers of our BreakingPoint product have access to strikes for different vulnerabilities targeting Microsoft products, allowing them to test their currently deployed security controls’ ability to detect or block such attacks.