Microsoft warned today in an updated security advisory that a critical vulnerability in Exchange Server was exploited as a zero-day before being fixed during this month's Patch Tuesday.
Discovered internally and tracked as CVE-2024-21410, this security flaw can let remote unauthenticated threat actors escalate privileges in NTLM relay attacks targeting vulnerable Microsoft Exchange Server versions.
In such attacks, the threat actor forces a network device (including servers or domain controllers) to authenticate against an NTLM relay server under their control to impersonate the targeted devices and elevate privileges.
"An attacker could target an NTLM client such as Outlook with an NTLM credentials-leaking type vulnerability," Microsoft explains.
"The leaked credentials can then be relayed against the Exchange server to gain privileges as the victim client and to perform operations on the Exchange server on the victim's behalf.
"An attacker who successfully exploited this vulnerability could relay a user's leaked Net-NTLMv2 hash against a vulnerable Exchange Server and authenticate as the user."
Mitigation via Exchange Extended Protection
The Exchange Server 2019 Cumulative Update 14 (CU14) update released during the February 2024 Patch Tuesday addresses this vulnerability by enabling NTLM credentials Relay Protections (also known as Extended Protection for Authentication or EPA).
EP is designed to strengthen Windows Server auth functionality by mitigating authentication relay and man-in-the-middle (MitM) attacks.
Microsoft first introduced Exchange Server EP support in August 2022 and it announced one year later that EP would be enabled by default on all Exchange servers after deploying CU14.
Today, the company announced that EP will be enabled by default on all Exchange servers after installing this month's 2024 H1 Cumulative Update (aka CU14).
Admins can also use the ExchangeExtendedProtectionManagement PowerShell script to activate EP on previous versions of Exchange Server, such as Exchange Server 2016. This will also protect their systems against attacks targeting devices unpatched against CVE-2024-21410.
However, before toggling EP on their Exchange servers, administrators should evaluate their environments and review the issues mentioned in Microsoft's documentation for the EP toggle script to avoid breaking functionality.
Today, Microsoft also mistakenly tagged a critical Outlook remote code execution (RCE) vulnerability (CVE-2024-21413) as exploited in attacks before being fixed during this month's Patch Tuesday.
Comments
mderooij - 2 weeks ago
Extended Protection has been available since the August 2022 updates for Exchange 2013/2016/2019. So, mitigation for CVE-2024-21410 has existed before CU14. Also, the statement "Extended Protection (EP) will be automatically enabled by default on all Exchange servers after installing 2024H1 (CU14)" is confusing; it will be enabled by default on the server to which you applied CU14. That is unless you specified one of the two switches to change the default behavior.