Thousands of administrators overseeing Microsoft Exchange Server apparently aren’t in a hurry to install a major patch that was released eight months ago, according to a security vendor’s internet scan.
Security vendor Rapid7 said Tuesday that its internet scan suggests 61 per cent of Exchange versions 2010, 2013, 2016, and 2019 are still vulnerable to exploitation of a memory corruption bug known as CVE-2020-0688.
“We strongly urge organizations to update their environments,” researchers said in a blog, warning how an attacker could turn any stolen Exchange user account into a complete system compromise. “In many implementations, this could be used to completely compromise the entire Exchange environment (including all email) and potentially all of Active Directory.”
The update for CVE-2020-0688 needs to be installed on any server with the Exchange Control Panel (ECP) enabled. This will typically be servers with the Client Access Server (CAS) role, which is where users would access the Outlook Web App (OWA), said researchers. The blog includes detailed instructions on how to verify whether the needed update has been installed.
The warning comes with a reminder that Microsoft support for Exchange 2010 ends on Oct. 13. Rapid7 says organizations running Exchange 2010 and earlier should upgrade to supported technology as soon as possible.
In addition, organizations running Exchange 2013 should begin planning to upgrade to newer technologies. Exchange 2013 support ends April 11, 2023. Administrators should also note the newest version of Windows Server that Exchange 2013 runs on is Windows Server 2012 R2, which reaches end of service on Oct. 10, 2023.
Rapid7 also notes there are 16,577 Exchange 2007 servers still linked to the public internet, a version that hasn’t been supported over three years. The newest version of Windows Server that Exchange 2007 runs on is Windows Server 2008 R2, which reached end of service this past January.
While Exchange 2016 and 2019 will be supported for some time to come, the blog says organizations running them appear to be doing a poor job of keeping their environments up-to-date. Of the approximately 138,000 Exchange 2016 servers, 87 per cent were missing the most recent updates.
“People reuse passwords,” noted Laurence Pitt, global security strategy director at Juniper Networks. “Regardless of how often they are educated to not do this, it still happens. Hackers steal username, email and password combinations to use in attacks. The combination of these factors means that any Exchange server not patched against CVE-2020-0688 is vulnerable to attack.
“There really is no excuse for not keeping on top of patches. It’s not just about being up to date, but also a business responsibility. The more Exchange servers that can be breached, the more valid credentials can be stolen, the more unpatched servers get breached. This is cyclic.
“Patch the server and enable MFA (multi-factor authentication) so that even stolen credentials are much harder to make use of applications such as Microsoft Authenticator are so simple to use that there’s really no reason for not using them.”