Microsoft Exchange Server Remote Code Execution Vulnerability (CVE-2020-16875) Handling Guide

Microsoft Exchange Server Remote Code Execution Vulnerability (CVE-2020-16875) Handling Guide

October 7, 2020 | Mina Hao

Vulnerability Description

Recently, NSFOCUS detected that security personnel disclosed the procedure for exploiting the Microsoft Exchange Server remote code execution vulnerability (CVE-2020-16875) online. The vulnerability was made public by Microsoft in its September 2020 Security Updates. A remote code execution vulnerability exists in the way that Microsoft Exchange Server handles objects in memory. The prerequisite for successfully exploiting the vulnerability is to have user rights that can be authenticated as an Exchange role. An attacker could trigger the vulnerability by sending an email that contains special cmdlet arguments to the affected Exchange server. An attacker who successfully exploited the vulnerability could execute arbitrary code with system privileges on the affected system. Users should take preventive measures as soon as possible.

Reference link:

https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-16875

Scope of Impact

Affected versions

  • Microsoft Exchange Server 2016 Cumulative Update 16
  • Microsoft Exchange Server 2016 Cumulative Update 17
  • Microsoft Exchange Server 2019 Cumulative Update 5
  • Microsoft Exchange Server 2019 Cumulative Update 6
  • Check for the Vulnerability
  • Detection with NSFOCUS Product

NSFOCUS Remote Security Assessment System (RSAS) is capable of scanning and detecting the vulnerability. Please upgrade it to the latest version.

 VersionDownload Link
RSAS V6 system plug-in packageV6.0R02F01.1911http://update.nsfocus.com/update/downloads/id/108221

For how to upgrade NSFOCUS RSAS, click the following link:

https://mp.weixin.qq.com/s/aLAWXs5DgRhNHf4WHHhQyg

Mitigation

  • Official Fix

Currently, Microsoft has released security updates to fix the preceding vulnerability in product versions supported by Microsoft. Affected users should apply these updates as soon as possible. These updates are available at the following link:

https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-16875

Note: Windows Update may fail due to network and computer environment problems. Therefore, users are advised to check whether the patches are successfully updated immediately after installation.

Please right-click the Windows icon, select Settings (N), choose System and Security > Windows Update, and view the prompt message on the page. Alternatively, please view historical updates by clicking the View update history button.

If some updates cannot be successfully installed, please click the update names to jump to Microsoft’s download page. Users are advised to click the links on the page to visit the “Microsoft Update Catalog” website to download and install independent packages.

Statement

This advisory is only used to describe a potential risk. NSFOCUS does not provide any commitment or promise on this advisory. NSFOCUS and the author will not bear any liability for any direct and/or indirect consequences and losses caused by transmitting and/or using this advisory. NSFOCUS reserves all the rights to modify and interpret this advisory. Please include this statement paragraph when reproducing or transferring this advisory. Do not modify this advisory, add/delete any information to/from it, or use this advisory for commercial purposes without permission from NSFOCUS.

About NSFOCUS

NSFOCUS, Inc., a global network and cyber security leader, protects enterprises and carriers from advanced cyber attacks. The company’s Intelligent Hybrid Security strategy utilizes both cloud and on-premises security platforms, built on a foundation of real-time global threat intelligence, to provide multi-layered, unified and dynamic protection against advanced cyber attacks.

NSFOCUS works with Fortune Global 500 companies, including four of the world’s five largest financial institutions, organizations in insurance, retail, healthcare, critical infrastructure industries as well as government agencies. NSFOCUS has technology and channel partners in more than 60 countries, is a member of both the Microsoft Active Protections Program (MAPP), and the Cloud Security Alliance (CSA).

A wholly owned subsidiary of NSFOCUS Technologies Group Co., Ltd., the company has operations in the Americas, Europe, the Middle East and Asia Pacific.