<img height="1" width="1" style="display:none" src="https://www.facebook.com/tr?id=1462084720533760&amp;ev=PageView&amp;noscript=1">
Vulnerability Report

CVE-2020-17084 Buffer Overflow in Microsoft Exchange Server

Virsec Security Research Lab Vulnerability Analysis

The Virsec Security Research Lab provides detailed analysis on recent and notable security vulnerabilities

Vulnerability Summary

These are very early days for this vulnerability and not enough public information has been released into the NVD database. This Microsoft Exchange Server Remote Code Execution Vulnerability has been confirmed by Microsoft. They state in the referenced link that a detailed report exists, and functional reproduction is possible. Their analysis of the source code confirms the assertions of the researcher, Steven Seeley, who submitted the vulnerability.

Watch the video to learn more about this and other important vulnerabilities.

CVSS Score

The CVSS Base Score is 8.8 (High)

Affected Version

Microsoft Exchange Server 2013 Cumulative Update 23

Microsoft Exchange Server 2016 Cumulative Update 18

Microsoft Exchange Server 2019 Cumulative Update 7

Microsoft Exchange Server 2016 Cumulative Update 17

Microsoft Exchange Server 2019 Cumulative Update 6

Vulnerability Attribution

Steven Seeley of Source Incite

Risk Impact

This vulnerability has been assigned CWE 120 (classic buffer overflow). As a result, an attacker can execute arbitrary and malicious code on the server. From the details of the CVSS score, users with even low privileges can leverage the vulnerability. Had publicly disclosed vulnerabilities existed at his time, the risk level would have been critical. Public exploit is not available.

Virsec Security Platform (VSP) Support

The Virsec Security Platform (VSP)- Host running on the server can protect against malicious code running on the attacked Exchange Server. VSP-Mem also protects against Buffer Overflow vulnerabilities.

Reference Links

Download the full vulnerability report to learn more about this and other important vulnerabilities.