cve-2020-0688-versioncheck.py

#!/usr/bin/env python3

import urllib3, argparse, re, requests, sys
urllib3.disable_warnings()

# Build numbers vs versions and CUs
# https://www.msoutlook.info/question/277
vers = {
  "15.2.221":"2019",
  "15.2.330":"2019 CU1",
  "15.2.397":"2019 CU2",
  "15.2.464":"2019 CU3",
  "15.2.529":"2019 CU3",
  "15.1.225":"2016",
  "15.1.396":"2016 CU1",
  "15.1.466":"2016 CU2",
  "15.1.544":"2016 CU3",
  "15.1.669":"2016 CU4",
  "15.1.845":"2016 CU5",
  "15.1.1034":"2016 CU6",
  "15.1.1261":"2016 CU7",
  "15.1.1415":"2016 CU8",
  "15.1.1466":"2016 CU9",
  "15.1.1531":"2016 CU10",
  "15.1.1591":"2016 CU11",
  "15.1.1713":"2016 CU12",
  "15.1.1779":"2016 CU13",
  "15.1.1847":"2016 CU14",
  "15.1.1913":"2016 CU15",
  "15.0.516":"2013",
  "15.0.620":"2013 CU1",
  "15.0.712":"2013 CU3",
  "15.0.775":"2013 CU3",
  "15.0.847":"2013 SP1 (CU4)",
  "15.0.913":"2013 CU5",
  "15.0.995":"2013 CU6",
  "15.0.1044":"2013 CU7",
  "15.0.1076":"2013 CU8",
  "15.0.1104":"2013 CU9",
  "15.0.1130":"2013 CU10",
  "15.0.1156":"2013 CU11",
  "15.0.1178":"2013 CU12",
  "15.0.1210":"2013 CU13",
  "15.0.1236":"2013 CU14",
  "15.0.1263":"2013 CU15",
  "15.0.1293":"2013 CU16",
  "15.0.1320":"2013 CU17",
  "15.0.1347":"2013 CU18",
  "15.0.1365":"2013 CU19",
  "15.0.1367":"2013 CU20",
  "15.0.1395":"2013 CU21",
  "15.0.1473":"2013 CU22",
  "15.0.1497":"2013 CU23",
  "14.0.639":"2010",
  "14.1.218":"2010 SP1",
  "14.2.247":"2010 SP2",
  "14.2.318":"2010 SP2 RU4",
  "14.3.123":"2010 SP3",
  "14.3.266":"2010 SP3 RU11",
  "14.3.279":"2010 SP3 RU12",
  "14.3.294":"2010 SP3 RU13",
  "14.3.301":"2010 SP3 RU14",
  "14.3.319":"2010 SP3 RU15",
  "14.3.339":"2010 SP3 RU16",
  "14.3.352":"2010 SP3 RU17",
  "14.3.361":"2010 SP3 RU18",
  "14.3.382":"2010 SP3 RU19",
  "14.3.389":"2010 SP3 RU20",
  "14.3.399":"2010 SP3 RU21",
  "14.3.411":"2010 SP3 RU22",
  "14.3.417":"2010 SP3 RU23",
  "14.3.419":"2010 SP3 RU24",
  "14.3.435":"2010 SP3 RU25",
  "14.3.442":"2010 SP3 RU26",
  "14.3.452":"2010 SP3 RU27",
  "14.3.461":"2010 SP3 RU28",
  "14.3.468":"2010 SP3 RU29",
  "8.0.685":"2007",
  "8.1.240":"2007 SP1",
  "8.2.176":"2007 SP2",
  "8.3.83":"2007 SP3",
  "8.3.517":"2007 SP3 RU23"
}

# From https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-0688
fixed = ["2010 SP3 RU30","2013 CU23","2016 CU14","2016 CU15","2019 CU3","2019 CU4"]

# Parse args
parser = argparse.ArgumentParser(description="Check the version of an OWA instance")
parser.add_argument("url", help="URL of OWA, e.g. https://webmail.company.com/")
args = parser.parse_args()
if not args.url:
  parser.print_usage()
  sys.exit(2)

# Get login page
url = args.url + '/owa/auth/logon.aspx'

r = requests.get( url, verify=False )

# Get build number from response
m = re.search(r'(?P<major>[0-9]+)\.(?P<minor>[0-9])\.(?P<build>[0-9]+)(\.(?P<release>[0-9]\+))?',r.text)
if not m:
  print('Couldn\'t find a build number')
  sys.exit(1)


print('Vulnerability was fixed in:\n - ' + '\n - '.join(fixed))

build = m.group('major') + '.' + m.group('minor') + '.' + m.group('build')
print('Build is ' + build)
if build not in list(vers.keys()):
  print('Don\'t know that build number, taking a guess...')
  if int(m.group('major')) < 14:
    print('This is older than Exchange 2010 - possibly too old to be vulnerable!')
    sys.exit(0)
  else:
    # Get all builds of this version
    v = m.group('major') + '.' + m.group('minor') + '.'
    for b,cu in vers.items():
      if b.startswith( v ):
        if cu in fixed:
          # Is the build bigger than the fixed version?
          fb = int(b.split('.')[2])
          print('Vuln was fixed in build', fb )
          if int(m.group('build')) > fb:
            print('This build is later - not vulnerable')
            sys.exit(0)
    print('No idea what this is')
    sys.exit(1)
else:
  version = vers[build]
  print('Matches version: ' + version)
  if version not in fixed:
    print('VULNERABLE TO CVE-2020-0688!')
  else:
    print('Patched against CVE-2020-0688')