Critical New Micros...
Clear all

Critical New Microsoft Exchange Bug CVE-2024-21410

1 Posts
1 Users
Brandon Lee
Posts: 543
Member Admin
Topic starter

In a revised security notice, Microsoft has alerted that a significant vulnerability within Exchange Server was actively exploited prior to its resolution in the latest Patch Tuesday update.

Identified by Microsoft's internal team and cataloged as CVE-2024-21410, this vulnerability allows remote attackers, without authentication, to conduct NTLM relay attacks to escalate privileges on affected versions of Microsoft Exchange Server.

These types of attacks involve compelling a network device, such as servers or domain controllers, to authenticate with an NTLM relay server controlled by the attacker. This allows the attacker to impersonate the authenticated device and gain elevated privileges.

Microsoft detailed, "An NTLM client, like Outlook, targeted by an attacker exploiting an NTLM credentials-leaking vulnerability, could result in the attacker gaining privileges by relaying leaked credentials against the Exchange server, acting on behalf of the victimized client."

Successful exploitation of this flaw could enable an attacker to relay a user's leaked Net-NTLMv2 hash to an unsecured Exchange Server and authenticate as the user.

Mitigating the Threat with Exchange Extended Protection

The vulnerability is mitigated in the Exchange Server 2019 Cumulative Update 14 (CU14), which introduces NTLM credentials Relay Protections, also known as Extended Protection for Authentication (EPA). Extended Protection is aimed at enhancing authentication security in Windows Server by defending against relay and man-in-the-middle (MitM) attacks.

Following the 2024 H1 Cumulative Update (CU14) this month, Extended Protection will be enabled by default on all Exchange servers, as announced by Microsoft.

For earlier versions of Exchange Server, such as Exchange Server 2016, administrators have the option to enable Extended Protection using the ExchangeExtendedProtectionManagement PowerShell script. This measure provides protection against attacks exploiting CVE-2024-21410 on devices that have not been updated.

Before activating Extended Protection, however, administrators are urged to thoroughly assess their network environments and consider potential issues outlined in the documentation for the ExchangeExtendedProtectionManagement PowerShell script. This precaution is advised to prevent disruption of server functionality.

This advisory underscores the importance of timely system updates and the evaluation of security measures to safeguard against vulnerabilities and the potential exploitation by threat actors.

Posted : 14/02/2024 10:05 pm