Microsoft warned today in an updated security advisory that a critical vulnerability in Exchange Server was exploited as a zero-day before being fixed during this month’s Patch Tuesday.
Discovered internally and tracked as CVE-2024-21410, this security flaw can let remote unauthenticated threat actors escalate privileges in NTLM relay attacks targeting vulnerable Microsoft Exchange Server versions.
In such attacks, the threat actor forces a network device (including servers or domain controllers) to authenticate against an NTLM relay server under their control to impersonate the targeted devices and elevate privileges.
“An attacker could target an NTLM client such as Outlook with an NTLM credentials-leaking type vulnerability,” Microsoft explains.
“The leaked credentials can then be relayed against the Exchange server to gain privileges as the victim client and to perform operations on the Exchange server on the victim’s behalf.
“An attacker who successfully exploited this vulnerability could relay a user’s leaked Net-NTLMv2 hash against a vulnerable Exchange Server and authenticate as the user.”
Mitigation via Exchange Extended Protection
The Exchange Server 2019 Cumulative Update 14 (CU14) update addresses this vulnerability by enabling NTLM credentials Relay Protections (also known as Extended Protection for Authentication or EPA).
EP is designed to strengthen Windows Server auth functionality by mitigating authentication relay and man-in-the-middle (MitM) attacks.
Microsoft announced today that Extended Protection (EP) will be automatically enabled by default on all Exchange servers after installing this month’s 2024 H1 Cumulative Update (aka CU14).
Admins can use the ExchangeExtendedProtectionManagement PowerShell script to activate EP on previous versions of Exchange Server, such as Exchange Server 2016. This will also protect their systems against attacks targeting devices unpatched against CVE-2024-21410.
However, before toggling EP on their Exchange servers, administrators should evaluate their environments and review the issues mentioned in Microsoft’s documentation for the EP toggle script to avoid breaking functionality.
Admins are advised to evaluate their environments and review the issues mentioned in the documentation of the Microsoft-provided ExchangeExtendedProtectionManagement PowerShell script before toggling EP on their Exchange servers to avoid some functionality from breaking.
Today, Microsoft also mistakenly tagged a critical Outlook remote code execution (RCE) vulnerability (CVE-2024-21413) as exploited in attacks before being fixed during this month’s Patch Tuesday.