CVE-2020-0688 is a critical vulnerability in Microsoft Exchange due to use of static keys. Although exploitation requires valid credentials (at an email user level) and the risk of mass-exploitation is low, this vulnerability might be very useful in targeted attacks as it leads to SYSTEM level RCE.
More information:
- https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-0688
- https://www.thezdi.com/blog/2020/2/24/cve-2020-0688-remote-code-execution-on-microsoft-exchange-server-through-fixed-cryptographic-keys
- https://www.tenable.com/blog/cve-2020-0688-microsoft-exchange-server-static-key-flaw-could-lead-to-remote-code-execution
There are several sources of known false negatives (vulnerable Exchange servers that will be missed by this script):
-
Potential Exchange servers are prescreened by identifying hosts that have both port 25 and 443 open. If there are any setups that block one of these, they will get missed.
-
zmap is optimized for speed and scalability at the expense of precision. Typically multiple consecutive runs of zmap provide slightly different results. As a result, multiple runs of this script will show slightly different results as well.
Not sure whether this is caused purely by network congestion or by buggy code. Pull-request with patches/workarounds are certainly welcome!
-
We're not trying to be sneaky here, so some firewalls might simply block us as a robot.
-
Since we're not doing any fancy fingerprinting and only rely on the version that Exchange server reports itself, we are limited to first three fields in version number.
For example, latest cumulative update for Exchange Server 2019 is 15.2.529.5 which has been released in December and is vulnerable. The latest update that contains the patch is 15.2.529.8. Both of these self-report their version as 15.2.529, so the script will assume that the server is patched even if does not have the latest patch installed and is vulnerable.
In practice though it seems that there are either Exchange admins that update their systems as soon as patches come out or those that live by "if it works, don't touch it" principle. There's no in between.
zmap, Python >= 3.5, modules:
- dnspython
- pyOpenSSL
- requests
You can install them globally with:
$ sudo dnf install zmap python3-gevent python3-dns python3-pyOpenSSLor:
$ sudo apt install zmap python3-gevent python3-dns python3-opensslPython modules can be installed locally as well, through virtualenv:
$ virtualenv -p python3 CVE-2020-0688
$ . ./CVE-2020-0688/bin/activate
$ pip install -r ./requirements.txtFor basic scanning all you need is a file with IPs/subnets (in CIDR format) to scan:
$ ./scan.py ~/my_networks.txt output.csvOutput will be written in a CSV format with following columns:
| IP | Exchange Version | Server Name | PTR | Common Name (from TLS cert) |
|---|
Optionally, you can ask to output info on all Exchange servers found:
$ ./scan.py -f ~/my_networks.txt output.csvIn which case there will be one more column to indicate whether server is vulnerable or not:
| IP | Exchange Version | Vulnerable? | Server Name | PTR | Common Name (from TLS cert) |
|---|
You can also provide a file with blacklisted IPs/subnets (option -b), change the number of
parallel tasks (-p) or length of the timeouts (-t):
$ # ./scan.py -h
usage: scan.py [-h] [-b BLACKLIST] [-f] [-p PARALLEL] [-t TIMEOUT]
input output
Identify Exchange servers vulnerable to CVE-2020-0688.
positional arguments:
input Input file, each line contains one IP/subnet
output File to save the results (in CSV format)
optional arguments:
-h, --help show this help message and exit
-b BLACKLIST, --blacklist BLACKLIST
File containing IPs/subnets to avoid
-f, --full Don't filter seemingly up-to-date Exchange servers
-p PARALLEL, --parallel PARALLEL
How many requests to send in parallel (default: 1000)
-t TIMEOUT, --timeout TIMEOUT
Timeout (seconds) to use for network connections
(default: 5)