Vulnerabilities > CVE-2020-0692 - Improper Privilege Management vulnerability in Microsoft Exchange Server 2013/2016/2019

#
# (C) Tenable Network Security, Inc.
#




# The descriptive text and package checks in this plugin were  
# extracted from the Microsoft Security Updates API. The text
# itself is copyright (C) Microsoft Corporation.
#

include('compat.inc');

if (description)
{
  script_id(133617);
  script_version("1.11");
  script_set_attribute(attribute:"plugin_modification_date", value:"2020/06/04");

  script_cve_id("CVE-2020-0688", "CVE-2020-0692");
  script_xref(name:"MSKB", value:"4536987");
  script_xref(name:"MSKB", value:"4536988");
  script_xref(name:"MSKB", value:"4536989");
  script_xref(name:"MSFT", value:"MS20-4536987");
  script_xref(name:"MSFT", value:"MS20-4536988");
  script_xref(name:"MSFT", value:"MS20-4536989");

  script_name(english:"Security Updates for Exchange (February 2020)");

  script_set_attribute(attribute:"synopsis", value:
"The Microsoft Exchange Server installed on the remote host is affected by multiple vulnerabilities.");
  script_set_attribute(attribute:"description", value:
"The Microsoft Exchange Server installed on the remote host
is missing security updates. It is, therefore, affected by
multiple vulnerabilities :

  - An elevation of privilege vulnerability exists in
    Microsoft Exchange Server. An attacker who successfully
    exploited this vulnerability could gain the same rights
    as any other user of the Exchange server. This could
    allow the attacker to perform activities such as
    accessing the mailboxes of other users. Exploitation of
    this vulnerability requires Exchange Web Services (EWS)
    to be enabled and in use in an affected environment.
    (CVE-2020-0692)

  - A remote code execution vulnerability exists in
    Microsoft Exchange software when the software fails to
    properly handle objects in memory. An attacker who
    successfully exploited the vulnerability could run
    arbitrary code in the context of the System user. An
    attacker could then install programs; view, change, or
    delete data; or create new accounts. Exploitation of the
    vulnerability requires that a specially crafted email be
    sent to a vulnerable Exchange server. The security
    update addresses the vulnerability by correcting how
    Microsoft Exchange handles objects in memory.
    (CVE-2020-0688)");
  # https://support.microsoft.com/en-us/help/4536987/security-update-for-exchange-server-2019-and-2016
  script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?cac6add1");
  # https://support.microsoft.com/en-us/help/4536988/description-of-the-security-update-for-microsoft-exchange-server-2013
  script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?dce9375f");
  # https://support.microsoft.com/en-us/help/4536989/security-update-for-exchange-server-2010
  script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?b23bced2");
  script_set_attribute(attribute:"solution", value:
"Microsoft has released the following security updates to address this issue:
  -KB4536987
  -KB4536988
  -KB4536989");
  script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:S/C:C/I:C/A:C");
  script_set_cvss_temporal_vector("CVSS2#E:F/RL:OF/RC:C");
  script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H");
  script_set_cvss3_temporal_vector("CVSS:3.0/E:F/RL:O/RC:C");
  script_set_attribute(attribute:"cvss_score_source", value:"CVE-2020-0688");

  script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
  script_set_attribute(attribute:"exploit_available", value:"true");
  script_set_attribute(attribute:"exploited_by_malware", value:"true");
  script_set_attribute(attribute:"metasploit_name", value:'Exchange Control Panel ViewState Deserialization');
  script_set_attribute(attribute:"exploit_framework_metasploit", value:"true");

  script_set_attribute(attribute:"vuln_publication_date", value:"2020/02/11");
  script_set_attribute(attribute:"patch_publication_date", value:"2020/02/11");
  script_set_attribute(attribute:"plugin_publication_date", value:"2020/02/11");

  script_set_attribute(attribute:"plugin_type", value:"local");
  script_set_attribute(attribute:"cpe", value:"cpe:/a:microsoft:exchange_server");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_family(english:"Windows : Microsoft Bulletins");

  script_copyright(english:"This script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof.");

  script_dependencies("ms_bulletin_checks_possible.nasl", "microsoft_exchange_installed.nbin");
  script_require_keys("SMB/MS_Bulletin_Checks/Possible");
  script_require_ports(139, 445, "Host/patch_management_checks");

  exit(0);
}

include('audit.inc');
include('smb_func.inc');
include('smb_hotfixes.inc');
include('smb_hotfixes_fcheck.inc');
include('misc_func.inc');
include('install_func.inc');

get_kb_item_or_exit('SMB/MS_Bulletin_Checks/Possible');

bulletin = 'MS20-02';
kbs = make_list(
  '4536987', # Exchange Server 2019 CU 3-4 / 2016 CU 14-15
  '4536988', # 2013 CU 23
  '4536989'  # 2010 SP3 RU30
);

if (get_kb_item('Host/patch_management_checks')) hotfix_check_3rd_party(bulletin:bulletin, kbs:kbs, severity:SECURITY_HOLE);

install = get_single_install(app_name:'Microsoft Exchange');

path = install['path'];
version = install['version'];
release = install['RELEASE'];
port = kb_smb_transport();

if (
    release != 140 &&
    release != 150 &&
    release != 151 &&
    release != 152
)  audit(AUDIT_INST_VER_NOT_VULN, 'Exchange', version);

if (!empty_or_null(install['CU']))
  cu = install['CU'];
if (!empty_or_null(install['SP']))
  sp = install['SP'];

if (release == 140) # Exchange Server 2010
{
  # 2010 is using SP's not CU's
  if (sp == 3)
  {
    fixedver = '14.3.496.0';
    kb = '4536989';
  }
  else if (sp != 3)
    audit(AUDIT_INST_VER_NOT_VULN, 'Exchange', version);
}
if (release == 150) # Exchange Server 2013
{
  # Microsoft confirms this vulnerability affects CU 22 as well
  if (cu == 22 || cu == 23)
  {
    fixedver = '15.0.1497.6';
    kb = '4536988';
  }
  else if (cu < 22)
  {
    unsupported_cu = TRUE; 
  }
}
else if (release == 151) # Exchange Server 2016
{
  if (cu == 14)
  {
    fixedver = '15.1.1847.7';
    kb = '4536987';
  }
  else if (cu == 15)
  {
    fixedver = '15.1.1913.7';
    kb = '4536987';
  }
  else if (cu < 14)
  {
    unsupported_cu = TRUE; 
  }
}
else if (release == 152) # Exchange Server 2019
{
  if (cu == 3)
  {
    fixedver = '15.2.464.11';
    kb = '4536987';
  }
  else if (cu == 4)
  {
    fixedver = '15.2.529.8';
    kb = '4536987';
  }
  else if (cu < 3)
  {
    unsupported_cu = TRUE; 
  }
}

if ((fixedver && hotfix_is_vulnerable(path:hotfix_append_path(path:path, value:"Bin"), file:'ExSetup.exe', version:fixedver, bulletin:bulletin, kb:kb))
|| (unsupported_cu && report_paranoia == 2))
{
  if (unsupported_cu)
    hotfix_add_report('The Microsoft Exchange Server installed at ' + path +
    ' has an unsupported Cumulative Update (CU) installed and may be ' +
    'vulnerable to the CVEs contained within the advisory. Unsupported ' +
    'Exchange CU versions are not typically included in Microsoft ' +
    'advisories and are not indicated as affected.\n',
    bulletin:bulletin, kb:kb);

  if (xss) replace_kb_item(name:'www/' + port + '/XSS', value:TRUE);

  set_kb_item(name:'SMB/Missing/' + bulletin, value:TRUE);
  hotfix_security_hole();
  hotfix_check_fversion_end();
  exit(0);
}
else
{
  hotfix_check_fversion_end();
  audit(AUDIT_HOST_NOT, 'affected');
}