CVE-2020-0688

Name of the Vulnerable Software and Affected Versions Microsoft Exchange Server (affected versions not specified)

Description A remote code execution issue exists in Microsoft Exchange Server due to the failure to properly create unique keys during installation. This flaw, also referred to as a memory corruption issue, stems from deficiencies in the deserialization mechanism. An authenticated user with a mailbox who possesses the validation key can pass arbitrary objects to be deserialized by the web application, which operates with SYSTEM privileges. Real-world exploitation has been observed in Asia, targeting government agencies and high-tech companies through a sophisticated backdoor named GhostContainer. This malware uses the App Web Container 1.dll file as a container, employing a Stub class for command parsing and a App Web 843e75cf5b63 class as a web-proxy loader. It evades detection by overwriting memory addresses in amsi.dll and ntdll.dll to bypass the Antimalware Scan Interface (AMSI) and Windows event logging.

Recommendations At the moment, there is no information about a newer version that contains a fix for this vulnerability.