BSI warns: Code-smuggling gaps in thousands of Exchange servers unpatched

The CERT group of the BSI warns of at least 18,000 Exchange servers in Germany into which attackers can infiltrate malicious code.

(Image: Michael Traitov/Shutterstock.com)

Jun 20, 2024 at 3:33 pm CEST

2 min. read

Security

By

Dirk Knop

This article was originally published in German and has been automatically translated.

The German Federal Office for Information Security's (BSI) CERT group has criticized the fact that many thousands of Exchange servers in Germany have open Outlook Web Access (OWA), but are vulnerable to the infiltration of malicious code. According to the report, at least 42 percent of Exchange servers with OWAs accessible from the public Internet in Germany are affected.

The BSI writes that more than 18,000 Exchange servers offer open Outlook Web Access and are susceptible to one or even several code-smuggling vulnerabilities.

The situation looks dramatic

A graph shows impressively how a new vulnerability that was closed on a patch day initially leads to more vulnerable systems, but these then gradually decrease.

Graph of the number of vulnerable Exchange servers over time — Over time, it can be seen that a security vulnerability was added after a patch day. This was only sealed late on some systems over time.

(Image: CERT-Bund auf X)

However, the time taken to install the updates appears to be quite long for many servers.

CERT-Bund also states that around 11 percent of Exchange servers with accessible OWA use outdated server software. They no longer receive support or security updates, specifically Microsoft Exchange 2010 and 2013.

Server versions and vulnerable systems — Many servers even work with Exchange versions that are no longer supported.

(Image: CERT-Bund auf X)

According to the BSI, only 20 percent of Exchange servers with active OWA in Germany that can be accessed from the network are up to date with the latest patches. Broken down by security vulnerabilities, 34 percent of Exchange 2016 and 2019 servers currently still supported by Microsoft are vulnerable to CVE-2024-26198, for which Microsoft provided a security patch in March.

Read also

Security-Fiasko Exchange: BSI warnt vor über 17.000 angreifbaren Servern

Bundesbehörden: Zu viele Computersysteme bleiben ungepatcht

The BSI's warning comes around three months after the authority last warned of more than 17,000 vulnerable Exchange servers towards the end of March. It had also issued the warning level "orange", which translated means: "The IT threat situation is business-critical. Massive impairment of regular operations". The security situation has apparently not improved since then - on the contrary, it has actually worsened.

This week, the BSI and the Federal Office for the Protection of the Constitution have therefore called on administrators in general to install available updates more quickly - including for Outlook and Codesys. Of a good 1,700 users of Check Point security gateway products identified, only a good half have installed the update that has been available for weeks and closes the critical security gap.

(dmk)

Back to top

Alle Angebote

Newsletter heise-Bot Push Push-Nachrichten

${intro} ${title}