Governance & Risk Management , IT Risk Management , Patch Management

Thousands of Exchange Servers Still Lack Critical Patch

Rapid7 Researcher Calls Upatched Microsoft Servers 'Dangerous as Hell'
Thousands of Exchange Servers Still Lack Critical Patch

Eight months after Microsoft issued a critical security update fixing a remote code execution flaw in Exchange Server, more than half of these mail servers in use remain vulnerable to exploits, according to the security firm Rapid7.

See Also: Finding and Managing the Risk in your IT Estate: A Comprehensive Overview

Rapid7 conducted a study in mid-September of more than 405,000 internet-facing servers running the Exchange Client Access Server service for Exchange 2010, 2013, 2016 and 2019 and found 61% were still vulnerable to being exploited by the flaw, which is tracked as CVE-2020-0688.

Tom Sellers, principal security researcher at Rapid7 Labs, urges organizations to check if the patch has been implemented and apply an update if needed.

"This is dangerous as hell and there is a reliable Metasploit module for it," Sellers noted.

Sellers notes the update needs to be installed on any server with the Exchange Control Panel enabled. This will typically be servers with the Client Access Server role, which is where users would access the Outlook Web App.

The security flaw is a remote code vulnerability that exists in Exchange Server when the server fails to properly create unique keys at install time. Microsoft says the security update addresses the vulnerability by correcting how Exchange creates the keys during install.

Rapid7 noted in an April report that patching was going slowly, with only 20% of vulnerable servers having been updated one month after the fix was issued (see: Microsoft Exchange: 355,000 Servers Lack Critical Patch).

Importance of Patching

Chris Yule, director of the threat research capability at cybersecurity firm Secureworks, says nation-state attackers and crime gangs continue to scan for these types of vulnerabilities.

"Almost every incident, whether it's post-intrusion ransomware or something else, will start with a software vulnerability," Yule said in a presentation on Thursday at the ScotSoft conference in Edinburgh, Scotland, which was held virtually.

Yule highlighted four vulnerabilities as being among most targeted over the past year:

Microsoft Weighs In

In June, Microsoft tried to jump-start the patching process with a post from its Defender ATP Research Team imploring Exchange Server operators to implement the fix. It noted that any threat or vulnerability affecting Exchange servers should be treated with the highest priority because these servers typically contain critical business data as well as highly privileged accounts that attackers attempt to compromise to gain admin rights to the server and, consequently, complete control of the network.

"If compromised, Exchange servers provide a unique environment that could allow attackers to perform various tasks using the same built-in tools or scripts that admins use for maintenance. This is exacerbated by the fact that Exchange servers have traditionally lacked anti-virus solutions, network protection, the latest security updates and proper security configuration, often intentionally, due to the misguided notion that these protections interfere with normal Exchange functions," according to Microsoft.

Executive Editor Mathew Schwartz contributed to this report.


About the Author

Doug Olenick

Doug Olenick

Former News Editor, ISMG

Olenick has covered the cybersecurity and computer technology sectors for more than 25 years. Prior to his stint as ISMG as news editor, Olenick was online editor for SC Media, where he covered every aspect of the cybersecurity industry and managed the brand's online presence. Earlier, he worked at TWICE - This Week in Consumer Electronics - for 15 years. He also has contributed to Forbes.com, TheStreet and Mainstreet.




Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing healthcareinfosecurity.com, you agree to our use of cookies.