Vulnerabilities > CVE-2020-0692 - Improper Privilege Management vulnerability in Microsoft Exchange Server 2013/2016/2019

047910
CVSS 6.8 - MEDIUM
Attack vector
NETWORK
Attack complexity
MEDIUM
Privileges required
NONE
Confidentiality impact
PARTIAL
Integrity impact
PARTIAL
Availability impact
PARTIAL
network
microsoft
CWE-269
nessus

Summary

An elevation of privilege vulnerability exists in Microsoft Exchange Server, aka 'Microsoft Exchange Server Elevation of Privilege Vulnerability'.

Vulnerable Configurations

Part Description Count
Application
Microsoft
5

Common Weakness Enumeration (CWE)

Common Attack Pattern Enumeration and Classification (CAPEC)

  • Restful Privilege Elevation
    Rest uses standard HTTP (Get, Put, Delete) style permissions methods, but these are not necessarily correlated generally with back end programs. Strict interpretation of HTTP get methods means that these HTTP Get services should not be used to delete information on the server, but there is no access control mechanism to back up this logic. This means that unless the services are properly ACL'd and the application's service implementation are following these guidelines then an HTTP request can easily execute a delete or update on the server side. The attacker identifies a HTTP Get URL such as http://victimsite/updateOrder, which calls out to a program to update orders on a database or other resource. The URL is not idempotent so the request can be submitted multiple times by the attacker, additionally, the attacker may be able to exploit the URL published as a Get method that actually performs updates (instead of merely retrieving data). This may result in malicious or inadvertent altering of data on the server.

Nessus

NASL familyWindows : Microsoft Bulletins
NASL idSMB_NT_MS20_FEB_EXCHANGE.NASL
descriptionThe Microsoft Exchange Server installed on the remote host is missing security updates. It is, therefore, affected by multiple vulnerabilities : - An elevation of privilege vulnerability exists in Microsoft Exchange Server. An attacker who successfully exploited this vulnerability could gain the same rights as any other user of the Exchange server. This could allow the attacker to perform activities such as accessing the mailboxes of other users. Exploitation of this vulnerability requires Exchange Web Services (EWS) to be enabled and in use in an affected environment. (CVE-2020-0692) - A remote code execution vulnerability exists in Microsoft Exchange software when the software fails to properly handle objects in memory. An attacker who successfully exploited the vulnerability could run arbitrary code in the context of the System user. An attacker could then install programs; view, change, or delete data; or create new accounts. Exploitation of the vulnerability requires that a specially crafted email be sent to a vulnerable Exchange server. The security update addresses the vulnerability by correcting how Microsoft Exchange handles objects in memory. (CVE-2020-0688)
last seen2020-06-05
modified2020-02-11
plugin id133617
published2020-02-11
reporterThis script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof.
sourcehttps://www.tenable.com/plugins/nessus/133617
titleSecurity Updates for Exchange (February 2020)
code
#
# (C) Tenable Network Security, Inc.
#




# The descriptive text and package checks in this plugin were  
# extracted from the Microsoft Security Updates API. The text
# itself is copyright (C) Microsoft Corporation.
#

include('compat.inc');

if (description)
{
  script_id(133617);
  script_version("1.11");
  script_set_attribute(attribute:"plugin_modification_date", value:"2020/06/04");

  script_cve_id("CVE-2020-0688", "CVE-2020-0692");
  script_xref(name:"MSKB", value:"4536987");
  script_xref(name:"MSKB", value:"4536988");
  script_xref(name:"MSKB", value:"4536989");
  script_xref(name:"MSFT", value:"MS20-4536987");
  script_xref(name:"MSFT", value:"MS20-4536988");
  script_xref(name:"MSFT", value:"MS20-4536989");

  script_name(english:"Security Updates for Exchange (February 2020)");

  script_set_attribute(attribute:"synopsis", value:
"The Microsoft Exchange Server installed on the remote host is affected by multiple vulnerabilities.");
  script_set_attribute(attribute:"description", value:
"The Microsoft Exchange Server installed on the remote host
is missing security updates. It is, therefore, affected by
multiple vulnerabilities :

  - An elevation of privilege vulnerability exists in
    Microsoft Exchange Server. An attacker who successfully
    exploited this vulnerability could gain the same rights
    as any other user of the Exchange server. This could
    allow the attacker to perform activities such as
    accessing the mailboxes of other users. Exploitation of
    this vulnerability requires Exchange Web Services (EWS)
    to be enabled and in use in an affected environment.
    (CVE-2020-0692)

  - A remote code execution vulnerability exists in
    Microsoft Exchange software when the software fails to
    properly handle objects in memory. An attacker who
    successfully exploited the vulnerability could run
    arbitrary code in the context of the System user. An
    attacker could then install programs; view, change, or
    delete data; or create new accounts. Exploitation of the
    vulnerability requires that a specially crafted email be
    sent to a vulnerable Exchange server. The security
    update addresses the vulnerability by correcting how
    Microsoft Exchange handles objects in memory.
    (CVE-2020-0688)");
  # https://support.microsoft.com/en-us/help/4536987/security-update-for-exchange-server-2019-and-2016
  script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?cac6add1");
  # https://support.microsoft.com/en-us/help/4536988/description-of-the-security-update-for-microsoft-exchange-server-2013
  script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?dce9375f");
  # https://support.microsoft.com/en-us/help/4536989/security-update-for-exchange-server-2010
  script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?b23bced2");
  script_set_attribute(attribute:"solution", value:
"Microsoft has released the following security updates to address this issue:
  -KB4536987
  -KB4536988
  -KB4536989");
  script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:S/C:C/I:C/A:C");
  script_set_cvss_temporal_vector("CVSS2#E:F/RL:OF/RC:C");
  script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H");
  script_set_cvss3_temporal_vector("CVSS:3.0/E:F/RL:O/RC:C");
  script_set_attribute(attribute:"cvss_score_source", value:"CVE-2020-0688");

  script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
  script_set_attribute(attribute:"exploit_available", value:"true");
  script_set_attribute(attribute:"exploited_by_malware", value:"true");
  script_set_attribute(attribute:"metasploit_name", value:'Exchange Control Panel ViewState Deserialization');
  script_set_attribute(attribute:"exploit_framework_metasploit", value:"true");

  script_set_attribute(attribute:"vuln_publication_date", value:"2020/02/11");
  script_set_attribute(attribute:"patch_publication_date", value:"2020/02/11");
  script_set_attribute(attribute:"plugin_publication_date", value:"2020/02/11");

  script_set_attribute(attribute:"plugin_type", value:"local");
  script_set_attribute(attribute:"cpe", value:"cpe:/a:microsoft:exchange_server");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_family(english:"Windows : Microsoft Bulletins");

  script_copyright(english:"This script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof.");

  script_dependencies("ms_bulletin_checks_possible.nasl", "microsoft_exchange_installed.nbin");
  script_require_keys("SMB/MS_Bulletin_Checks/Possible");
  script_require_ports(139, 445, "Host/patch_management_checks");

  exit(0);
}

include('audit.inc');
include('smb_func.inc');
include('smb_hotfixes.inc');
include('smb_hotfixes_fcheck.inc');
include('misc_func.inc');
include('install_func.inc');

get_kb_item_or_exit('SMB/MS_Bulletin_Checks/Possible');

bulletin = 'MS20-02';
kbs = make_list(
  '4536987', # Exchange Server 2019 CU 3-4 / 2016 CU 14-15
  '4536988', # 2013 CU 23
  '4536989'  # 2010 SP3 RU30
);

if (get_kb_item('Host/patch_management_checks')) hotfix_check_3rd_party(bulletin:bulletin, kbs:kbs, severity:SECURITY_HOLE);

install = get_single_install(app_name:'Microsoft Exchange');

path = install['path'];
version = install['version'];
release = install['RELEASE'];
port = kb_smb_transport();

if (
    release != 140 &&
    release != 150 &&
    release != 151 &&
    release != 152
)  audit(AUDIT_INST_VER_NOT_VULN, 'Exchange', version);

if (!empty_or_null(install['CU']))
  cu = install['CU'];
if (!empty_or_null(install['SP']))
  sp = install['SP'];

if (release == 140) # Exchange Server 2010
{
  # 2010 is using SP's not CU's
  if (sp == 3)
  {
    fixedver = '14.3.496.0';
    kb = '4536989';
  }
  else if (sp != 3)
    audit(AUDIT_INST_VER_NOT_VULN, 'Exchange', version);
}
if (release == 150) # Exchange Server 2013
{
  # Microsoft confirms this vulnerability affects CU 22 as well
  if (cu == 22 || cu == 23)
  {
    fixedver = '15.0.1497.6';
    kb = '4536988';
  }
  else if (cu < 22)
  {
    unsupported_cu = TRUE; 
  }
}
else if (release == 151) # Exchange Server 2016
{
  if (cu == 14)
  {
    fixedver = '15.1.1847.7';
    kb = '4536987';
  }
  else if (cu == 15)
  {
    fixedver = '15.1.1913.7';
    kb = '4536987';
  }
  else if (cu < 14)
  {
    unsupported_cu = TRUE; 
  }
}
else if (release == 152) # Exchange Server 2019
{
  if (cu == 3)
  {
    fixedver = '15.2.464.11';
    kb = '4536987';
  }
  else if (cu == 4)
  {
    fixedver = '15.2.529.8';
    kb = '4536987';
  }
  else if (cu < 3)
  {
    unsupported_cu = TRUE; 
  }
}

if ((fixedver && hotfix_is_vulnerable(path:hotfix_append_path(path:path, value:"Bin"), file:'ExSetup.exe', version:fixedver, bulletin:bulletin, kb:kb))
|| (unsupported_cu && report_paranoia == 2))
{
  if (unsupported_cu)
    hotfix_add_report('The Microsoft Exchange Server installed at ' + path +
    ' has an unsupported Cumulative Update (CU) installed and may be ' +
    'vulnerable to the CVEs contained within the advisory. Unsupported ' +
    'Exchange CU versions are not typically included in Microsoft ' +
    'advisories and are not indicated as affected.\n',
    bulletin:bulletin, kb:kb);

  if (xss) replace_kb_item(name:'www/' + port + '/XSS', value:TRUE);

  set_kb_item(name:'SMB/Missing/' + bulletin, value:TRUE);
  hotfix_security_hole();
  hotfix_check_fversion_end();
  exit(0);
}
else
{
  hotfix_check_fversion_end();
  audit(AUDIT_HOST_NOT, 'affected');
}