Microsoft has issued an updated security advisory, warning about a critical vulnerability in Exchange Server. The Microsoft critical Exchange bug was exploited as a zero-day before being addressed during this month’s Patch Tuesday.
The Microsoft Critical Exchange Bug CVE-2024-21410 Allows NTLM Relay Attacks
Internally discovered and tracked as CVE-2024-21410, this security flaw is a critical bug in Exchange Server that enables remote unauthenticated threat actors to escalate privileges through NTLM relay attacks. These attacks specifically target vulnerable versions of Microsoft Exchange Server.
During an NTLM relay attack, the threat actor manipulates a network device, including servers or domain controllers, to authenticate against an NTLM relay server under their control. This allows them to impersonate the targeted devices and gain elevated privileges.
“An attacker could target an NTLM client such as Outlook with an NTLM credentials-leaking type vulnerability,”
“The leaked credentials can then be relayed against the Exchange server to gain privileges as the victim client and to perform operations on the Exchange server on the victim’s behalf.
“An attacker who successfully exploited this vulnerability could relay a user’s leaked Net-NTLMv2 hash against a vulnerable Exchange Server and authenticate as the user.”
Microsoft explains in a statement.
The Critical Bug in Exchange Server Can Be Protected via Exchange Extended Protection
To address this vulnerability, Microsoft has released the Exchange Server 2019 Cumulative Update 14 (CU14) update. This update includes the implementation of NTLM credentials Relay Protections, also known as Extended Protection for Authentication (EPA).
Extended Protection (EP) is specifically designed to enhance the security of Windows Server authentication functionality by mitigating the risks associated with authentication relay and man-in-the-middle (MitM) attacks.
In an announcement Microsoft has stated that Extended Protection (EP) will be automatically enabled by default on all Exchange servers after installing this month’s 2024 H1 Cumulative Update (CU14).
This proactive measure aims to strengthen the security posture of Exchange servers and protect against potential exploits of the vulnerability.
For administrators using previous versions of Exchange Server, such as Exchange Server 2016, there is a PowerShell script called ExchangeExtendedProtectionManagement that can be utilized to activate Extended Protection (EP). Enabling EP will provide protection against attacks targeting devices that have not been patched against CVE-2024-21410.
However, it is crucial for administrators to conduct a thorough evaluation of their environments before toggling EP on their Exchange servers. Microsoft has provided documentation for the EP toggle script, which highlights potential issues that may arise and impact functionality.
Administrators should carefully review this documentation to ensure that enabling EP does not inadvertently break any essential functionality within their Exchange environment.
By following this advice and conducting a comprehensive evaluation, administrators can activate EP effectively while minimizing the risk of functionality disruptions.
Microsoft also made an error by incorrectly classifying a critical Outlook vulnerability as having been exploited in attacks before being addressed in this month’s Patch Tuesday.
The vulnerability in question is a remote code execution (RCE) vulnerability known as CVE-2024-21413. Microsoft has since acknowledged that it was mistakenly tagged as being actively exploited.
It is important to note that the vulnerability has been fixed with the latest updates released during Patch Tuesday. Microsoft is taking the necessary steps to rectify the misclassification and provide accurate information regarding the vulnerability.
