EOL software: a practical case where ITAM is useful for security

The Microsoft Exchange Server case.

How ITAM processes for monitoring EOL software are helpful in reducing exposures to security vulnerabilities.

The term EOL (End of Life) refers to software versions for which support has been scheduled to end and therefore security updates will no longer be available.

Visibility into EOL software and therefore with terminated support is something that should not be overlooked, because its execution on corporate networks can be associated with vulnerabilities that increase the risk of an organization's data.

There are many reasons why companies fail to gain control over EOL software: independent purchases at the multi-departmental level resulting in fragmented information, outdated asset lifecycle documentation, and also difficulty in chasing vendor announcements to massively plan migrations or upgrades.

But the security impacts are there for all to see: let’s take Microsoft Exchange Server in its 2007, 2010, 2013 versions as an example. According to a ShadowServer scan there are nearly 20,000 Microsoft Exchange e-mail servers in Europe, the U.S. and Asia that are vulnerable to remote code execution flaws and are exposed on the Internet.

These email systems, in fact, run a version of the software that is currently no longer supported (as can be seen from Microsoft's website for versions 2007, 2010 and not least 2013, which ended support on April 11th, 2023 and for which Microsoft strongly recommends migration to Microsoft 365, Office 365 or Exchange 2019).

Exchange falls among Microsoft's Fixed Lifecycle Policy products, which are products that already have an end-of-support date at the time of release. Typically, a minimum of five years is defined for Mainstream Support and an additional period of Extended Support, terms within which customers have Service Packs to deploy (fixes collected in "packages") or guidance to remediate vulnerabilities.

Beyond these dates, Microsoft does NOT guarantee any more security updates. With Exchange 2007, the end date for Extended Support is 2017, while with its "younger" versions we are in 2020 and April of this year.

EOL software: the risks associated with Exchange

As noted in Bleeping Computer, computers running unsupported versions of the Exchange server are vulnerable to ProxyLogon, a critical security issue classified as CVE-2021-26855, which can be related to a less serious bug identified as CVE-2021-27065 to achieve remote code execution.

In the case of instances that have reached the end of support, the only option left is to upgrade to a version that still receives security updates.

Setting up SAM processes (we have also discussed this here) allows for high-quality reports on real-time software usage: among the information shared we also find end-of-support data.

At WEGG we rely on Snow technology, whose software recognition database integrates with the vulnerability data provided by the National Vulnerability Database: in our client companies, we work to promote the monitoring of software running on corporate networks so that we have useful data for security.

Below there is a detailed screenshot of the Exchange 2007 product, which extracts end-of-support information directly from vendor-provided announcements: