Qiita Teams that are logged in
You are not logged in to any team

Log in to Qiita Team
Community
OrganizationAdvent CalendarQiitadon (β)
Service
Qiita JobsQiita ZineQiita Blog
Help us understand the problem. What is going on with this article?

[漏洞通告]CVE-2020-0688/Microsoft Exchange .Net反序列化远程代码执行漏洞

More than 1 year has passed since last update.

漏洞描述

2020年2月11日,微软发布了针对Exchange Server中的.Net反序列化远程代码执行漏洞CVE-2020-0688的补丁程序.
当服务器在安装时无法正确创建唯一密钥时,Microsoft Exchange Server中将存在一个远程代码执行漏洞.该漏洞是由于Exchange控制面板(ECP)组件中使用了静态密钥validationKey和decryptionKey。这些密钥用于为ViewState提供安全性。ViewState是ASP.NET Web应用程序在客户端上以序列化格式存储的服务器端数据。客户端通过__VIEWSTATE请求参数将此数据传回服务器。经过身份验证的攻击者可以诱使服务器反序列化恶意制作的ViewState序列化数据,从而在Exchange控制面板Web应用程序的上下文中执行任意.NET代码。由于Exchange控制面板Web应用程序是以SYSTEM权限运行,因而成功利用此漏洞的攻击者可以以SYSTEM权限执行任意命令,并完全破坏目标Exchange服务器.

漏洞编号

CVE-2020-0688

漏洞威胁等级

高危

影响范围

Microsoft Exchange Server 2010 Service Pack 3 Update Rollup 30
Microsoft Exchange Server 2013 Cumulative Update 23
Microsoft Exchange Server 2016 Cumulative Update 14
Microsoft Exchange Server 2016 Cumulative Update 15
Microsoft Exchange Server 2019 Cumulative Update 3
Microsoft Exchange Server 2019 Cumulative Update 4

漏洞验证

使用dnslog将username信息带出
image.png
image.png

修复建议

微软已发布补丁:
https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-0688

时间轴

[0] 2020/02/11 微软发布补丁
[1] 2020/02/25 ZDI公开细节和演示
[2] 2020/02/26 亚信安全网络攻防实验室分析&复现该漏洞并发布漏洞通告

Reference

https://www.zerodayinitiative.com/blog/2020/2/24/cve-2020-0688-remote-code-execution-on-microsoft-exchange-server-through-fixed-cryptographic-keys
https://mp.weixin.qq.com/s/cUWL15YsS2GrId2Fo8ZsbA

Why not register and get more from Qiita?
  1. We will deliver articles that match you
    By following users and tags, you can catch up information on technical fields that you are interested in as a whole
  2. you can read useful information later efficiently
    By "stocking" the articles you like, you can search right away