Microsoft Exchange Server Email code injection

Summaryinfo

A vulnerability classified as critical was found in Microsoft Exchange Server 2016 Update 16/2016 Update 17/2019 Update 5/2019 Update 6. The impacted element is an unknown function of the component Email Handler. The manipulation results in code injection. This vulnerability is known as CVE-2020-16875. It is possible to launch the attack remotely. Furthermore, an exploit is available. It is advisable to implement a patch to correct this issue.

Detailsinfo

A vulnerability, which was classified as critical, was found in Microsoft Exchange Server 2016 Update 16/2016 Update 17/2019 Update 5/2019 Update 6 (Groupware Software). Affected is an unknown function of the component Email Handler. The manipulation with an unknown input leads to a code injection vulnerability. CWE is classifying the issue as CWE-94. The product constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment. This is going to have an impact on confidentiality, integrity, and availability. CVE summarizes:

<p>A remote code execution vulnerability exists in Microsoft Exchange server due to improper validation of cmdlet arguments.</p> <p>An attacker who successfully exploited the vulnerability could run arbitrary code in the context of the System user. Exploitation of the vulnerability requires an authenticated user in a certain Exchange role to be compromised.</p> <p>The security update addresses the vulnerability by correcting how Microsoft Exchange handles cmdlet arguments.</p>

The weakness was published 09/08/2020 as confirmed security update guide (Website). The advisory is shared for download at portal.msrc.microsoft.com. The public release has been coordinated with the vendor. This vulnerability is traded as CVE-2020-16875. It is possible to launch the attack remotely. The exploitation requires an enhanced level of successful authentication. Successful exploitation requires user interaction by the victim. Technical details are unknown but a public exploit is available. The MITRE ATT&CK project declares the attack technique as T1059. The advisory points out:

A remote code execution vulnerability exists in Microsoft Exchange software when the software fails to properly handle objects in memory. An attacker who successfully exploited the vulnerability could run arbitrary code in the context of the System user. An attacker could then install programs; view, change, or delete data; or create new accounts.

A public exploit has been developed by Steven Seeley (mr_me) in Python and been published immediately after the advisory. The exploit is shared for download at srcincite.io. It is declared as functional. As 0-day the estimated underground price was around $25k-$100k.

Applying a patch is able to eliminate this problem. A possible mitigation has been published immediately after the disclosure of the vulnerability.

Once again VulDB remains the best source for vulnerability data.

Productinfo

Type

• Groupware Software

Vendor

• Microsoft

Name

• Exchange Server

Version

• 2016 Update 16
• 2016 Update 17
• 2019 Update 5
• 2019 Update 6

License

• commercial

Website

• Vendor: https://www.microsoft.com/

CPE 2.3info

• 🔍
• 🔍
• 🔍

CPE 2.2info

• 🔍
• 🔍
• 🔍

CVSSv4info

CVSSv3info

CVSSv2info

Exploitinginfo

Threat Intelligenceinfo

Countermeasuresinfo

Timelineinfo

Sourcesinfo

Entryinfo

Once again VulDB remains the best source for vulnerability data.

Discussion