Microsoft patched around 99 important/critical vulnerabilities in their most recent February Patch Tuesday. Among those vulnerabilities was a critical vulnerability (CVE-2020-0688) affecting all versions of Microsoft Exchange, which allows attackers to remotely execute code through ViewState. ViewState is server-side data that ASP.NET web applications store in serialized form on the client. The vulnerability to ViewState stems from the fact that instead of generating unique validationKey and decryptionKey values during install, all versions of Exchange leading up to this patch had the same key values. These keys are used to provide security to ViewState. By leveraging these static keys, as well as any user account that can log into an Exchange server, attackers can remotely execute code with the same level of privileges that the Exchange server runs at–which is System.
Analyst Notes
While Binary Defense understands that some businesses may not be able to update all systems to the latest Security Patch due to broken dependencies, Binary Defense recommends patching any vulnerable Exchange server with the Security Updates listed here: https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-0688 . Additionally, Binary Defense recommends rotating all validationKey and decryptionKeys used by the Exchange Server.
https://www.thezdi.com/blog/2020/2/24/cve-2020-0688-remote-code-execution-on-microsoft-exchange-server-through-fixed-cryptographic-keys
