Description
A critical vulnerability has been identified in the XML parser component of Microsoft Exchange Server. This remote code execution vulnerability, identified as CVE-2020-17144, allows an attacker to execute arbitrary code on the affected system. The vulnerability is due to improper deserialization of untrusted data, which could be exploited by sending a specially crafted request to an affected version of Microsoft Exchange Server.
Affected Product(s)
- Microsoft Exchange Server 2010 Service Pack 3 Update Rollup 31
- Microsoft Exchange Server
Technical Details
CVE-2020-17144 is a critical vulnerability found in Microsoft Exchange Server, versions including the 2010 Service Pack 3. The vulnerability is due to the deserialization of untrusted data, identified under CWE-502: Deserialization of Untrusted Data. This flaw enables an attacker to induce remote code execution (RCE) on the server by exploiting the lack of proper validation mechanisms within the deserialization process.
It has been demonstrated that an attacker can exploit this vulnerability by carefully sending crafted binary data, which is deserialized in an unsafe manner by the affected components of the Exchange Server. For instance, by manipulating specific components and leveraging vulnerabilities in the deserialization process, attackers can execute arbitrary code, eventually gaining control over the system. This is notably evident from the exploitation process that involves creating a User Configuration with malicious payloads embedded in BinaryData. Once the server deserializes this data without adequate checks, the payload is executed, leading to remote code execution.
The vulnerability primarily revolves around unsafe handling and incorrect validation within the TypedBinaryFormatter and a faulty implementation within the ChainedSerializationBinder component of the Exchange Server. The deserialization mechanism fails to ensure proper validation of types, allowing potentially unsafe deserializations to occur. The binder does not correctly pass the relevant checks within ExchangeBinaryFormatterFactory, resulting in potential deserialization of malicious payloads that inject a secondary deserialization stage, often leveraging the System.Security.Claims.ClaimsPrincipal identity for further propagation.
Specific tools such as DnSpy and WinMerge have been used to assess the differential file changes post-patch deployment, revealing substantial modifications (approximately 275 files). Furthermore, the exploitation techniques demonstrated employ tools like ysoserial.net to construct gadget chains capable of invoking arbitrary commands and injecting shellcode by exploiting the vulnerability, bypassing certain security defenses by disguising payloads in seemingly legitimate serialized data. Additionally, security researchers have evidenced that user configurations can be manipulated via direct access through the Exchange Web Services (EWS) API endpoints, specifically the CreateUserConfiguration and GetClientAccessToken operations.
This deserialization sink is notably triggered within the claims principal processing, with further support from public documentation and practical experimentation in controlled labs demonstrating the feasibility of RCE under realistic conditions. This exploitation path underscores the critical need for robust patch management and systematic updates within exposed and critical infrastructure elements like email servers.
Weakness
The weakness associated with this vulnerability is a result of improper deserialization of untrusted data (CWE-502). Deserialization is the process of transforming serialized data back into objects. The vulnerability arises when untrusted, potentially malicious data is deserialized without sufficient validation and checks, allowing an attacker to insert arbitrary serialized payload that can exploit the deserialization process, leading to remote code execution.
Impact Assessment
If exploited, this vulnerability could allow an attacker to gain unauthorized access to sensitive data or execute arbitrary code on the affected system. The consequences of such an exploit include full system compromise, potentially leading to the exposure of confidential information, disruption of services, and installation of additional malicious software, including ransomware.
Active Exploitation
We have observed activity from various adversary groups exploiting the vulnerability. These groups have typically targeted Microsoft Exchange Servers due to their critical role in organizational communication and data management. Specifically, the exploitation involves using NTLM hashes for authentication to trigger the vulnerability and execute arbitrary code on compromised systems.
Threat Actors: Unspecified Group – Russia
Ransomware Association
The vulnerability has been linked to ransomware attacks, specifically targeted by ransomware gangs aiming to leverage the initial exploit to gain access and subsequently deploy ransomware on compromised systems. This includes instances where threat actors have used the CVE-2020-17144 vulnerability to establish persistence, exfiltrate data, and encrypt critical enterprise data demanding ransom payments for decryption keys.
Mitigation and Resolution
We have released a patch that addresses this vulnerability. It is imperative to update to the latest version of the affected software. Microsoft has deployed updates and various advisories detailing the steps involved in applying the necessary patches. Immediate installation of these patches is recommended to protect systems against potential exploitation.
Recommendations
- We strongly recommend that all customers apply the latest patch as soon as possible.
- Ensure that your Microsoft Exchange Servers are updated to the latest Service Pack and Rollup versions provided by Microsoft.
- Verify and secure all Exchange Server configurations to prevent unauthorized access and potential exploitation.
- Implement additional security measures such as network segmentation and strict firewall policies to limit access to the Exchange Server.
- Regularly review and audit security logs to detect any anomalous activities that may indicate attempted exploitation.
- Consider deploying endpoint detection and response (EDR) solutions capable of detecting and mitigating exploitation attempts.
- Review and configure proper access controls and authentication mechanisms to enhance the security posture of your email infrastructure.
- Develop incident response and business continuity plans to quickly address any potential exploitation and mitigate damages.
ย Referencesย
- Microsoft Update Guide for CVE-2020-17144
- CVE MITRE Details
- National Vulnerability Database
- Microsoft Security Guidance Advisory
- Microsoft Catalog Update
- CISA KEV Catalog
- Tenable Nessus Plugins
- SMB Share Ful Access Vulnerability Report
- SeeBug Research
- iHonker Research 1
- iHonker Research 2
- 4hou Research