One Article Review
| Source |  taosecurity |
|---|---|
| Identifiant | 1642868 |
| Date de publication | 2020-04-07 11:28:11 (vue: 2020-04-08 14:08:37) |
| Titre | If You Can\'t Patch Your Email Server, You Should Not Be Running It |
| Texte |  CVE-2020-0688 Scan Results, per Rapid7tl;dr -- it's the title of the post: "If You Can't Patch Your Email Server, You Should Not Be Running It."I read a disturbing story today with the following news:"Starting March 24, Rapid7 used its Project Sonar internet-wide survey tool to discover all publicly-facing Exchange servers on the Internet and the numbers are grim.As they found, 'at least 357,629 (82.5%) of the 433,464 Exchange servers' are still vulnerable to attacks that would exploit the CVE-2020-0688 vulnerability.To make matters even worse, some of the servers that were tagged by Rapid7 as being safe against attacks might still be vulnerable given that 'the related Microsoft update wasn't always updating the build number.'Furthermore, 'there are over 31,000 Exchange 2010 servers that have not been updated since 2012,' as the Rapid7 researchers observed. 'There are nearly 800 Exchange 2010 servers that have never been updated.'They also found 10,731 Exchange 2007 servers and more than 166,321 Exchange 2010 ones, with the former already running End of Support (EoS) software that hasn't received any security updates since 2017 and the latter reaching EoS in October 2020."In case you were wondering, threat actors have already been exploiting these flaws for weeks, if not months.Email is one of, if not the most, sensitive and important systems upon which organizations of all shapes and sizes rely. The are, by virtue of their function, inherently exposed to the Internet, meaning they are within the range of every targeted or opportunistic intruder, worldwide.In this particular case, unpatched servers are also vulnerable to any actor who can download and update Metasploit, which is virtually 100% of them.It is the height of negligence to run such an important system in an unpatched state, when there are much better alternatives -- namely, outsourcing your email to a competent provider, like Google, Microsoft, or several others.I expect some readers are saying "I would never put my email in the hands of those big companies!" That's fine, and I know several highly competent individuals who run their own email infrastructure. The problem is that they represent the small fraction of individuals and organizations who can do so. Even being extremely generous with the numbers, it appears that less than 20%, and probably less than 15% according to other estimates, can even keep their Exchange servers patched, let alone properly configured.If you think it's still worth the risk, and your organization isn't able to patch, because you want to avoid megacorp email providers or government access to your email, you've made a critical miscalculation. You've essentially decided that it's more important for you to keep your email out of megacorp or government hands than it is to keep i |
| Envoyé | Oui |
| Condensat | 000 0688 100 166 2003 2007 2010 2012 2017 2020 321 357 433 464 629 731 800 able access according across actor actors against all alone already also alternatives always another any anyone anyway appears are attacks attention avoid because been being bejtlich better big blogspot bottom break build but can case com commit companies competent configured copyright critical cve decided discover disturbing download email emails end eos essentially estimates even every exchange expect expertise exploit exploiting exposed extremely facing fear fine flaws following former found fraction from function furthermore generous given google government governments grim hands hasn have height highly important incidentally individuals information infrastructure inherently internet intruder intruders isn its janky just keep know latter least less let leverage like line made maintaining make many march matters meaning megacorp metasploit microsoft might miscalculation mistake months more most much namely nearly negligence negligent never news: not number numbers observed october one ones only opportunistic organization organizations other others otherwise out outsource outsourcing over own particular patch patched per post: probably problem project properly provider providers publicly put range rapid7 rapid7tl;dr reaching read readers received related rely represent researchers resources results richard risk run running safe same saying scan security sensitive server servers several shapes should since sizes small software some sonar starting state story such support survey system systems tagged taosecurity targeted than that them these think those threat title today tool unless unpatched update updated updates updating upon used virtually virtue vulnerability vulnerable want wasn weeks when which who whom wide will willing within wondering worldwide worse worth would www you your |
| Tags | Tool |
| Stories | |
| Notes | |
| Move | 
|
L'article ne semble pas avoir été repris aprés sa publication.
L'article ne semble pas avoir été repris sur un précédent.