Microsoft Exchange

Microsoft warned today in an updated security advisory that a critical vulnerability in Exchange Server was exploited as a zero-day before being fixed during this month's Patch Tuesday.

Discovered internally and tracked as CVE-2024-21410, this security flaw can let remote unauthenticated threat actors escalate privileges in NTLM relay attacks targeting vulnerable Microsoft Exchange Server versions.

In such attacks, the threat actor forces a network device (including servers or domain controllers) to authenticate against an NTLM relay server under their control to impersonate the targeted devices and elevate privileges.

"An attacker could target an NTLM client such as Outlook with an NTLM credentials-leaking type vulnerability," Microsoft explains.

"The leaked credentials can then be relayed against the Exchange server to gain privileges as the victim client and to perform operations on the Exchange server on the victim's behalf.

"An attacker who successfully exploited this vulnerability could relay a user's leaked Net-NTLMv2 hash against a vulnerable Exchange Server and authenticate as the user."

Mitigation via Exchange Extended Protection

The Exchange Server 2019 Cumulative Update 14 (CU14) update released during the February 2024 Patch Tuesday addresses this vulnerability by enabling NTLM credentials Relay Protections (also known as Extended Protection for Authentication or EPA).

EP is designed to strengthen Windows Server auth functionality by mitigating authentication relay and man-in-the-middle (MitM) attacks.

Microsoft first introduced Exchange Server EP support in August 2022 and it announced one year later that EP would be enabled by default on all Exchange servers after deploying CU14.

Today, the company announced that EP will be enabled by default on all Exchange servers after installing this month's 2024 H1 Cumulative Update (aka CU14).

Admins can also use the ExchangeExtendedProtectionManagement PowerShell script to activate EP on previous versions of Exchange Server, such as Exchange Server 2016. This will also protect their systems against attacks targeting devices unpatched against CVE-2024-21410.

However, before toggling EP on their Exchange servers, administrators should evaluate their environments and review the issues mentioned in Microsoft's documentation for the EP toggle script to avoid breaking functionality.

Today, Microsoft also mistakenly tagged a critical Outlook remote code execution (RCE) vulnerability (CVE-2024-21413) as exploited in attacks before being fixed during this month's Patch Tuesday.

Related Articles:

LiteSpeed Cache WordPress plugin bug lets hackers get admin access

New Windows Driver Signature bypass allows kernel rootkit installs

Iranian hackers now exploit Windows flaw to elevate privileges

Microsoft patches Windows zero-day exploited in attacks on Ukraine

Microsoft November 2024 Patch Tuesday fixes 4 zero-days, 89 flaws