- CVE: CVE-2024-21410
- Severity: CRITICAL
- Priority: CRITICAL
Summary
Today, Microsoft issued a renewed security advisory cautioning about a critical vulnerability within Exchange Server, which was exploited as a zero-day before being addressed during this month’s Patch Tuesday.
Internally discovered and identified as CVE-2024-21410, this security loophole enables remote unauthenticated threat actors to potentially escalate privileges through NTLM relay attacks aimed at susceptible versions of Microsoft Exchange Server.
During such attacks, the threat actor compels a network device, which may include servers or domain controllers, to authenticate against an NTLM relay server under their control. This maneuver allows them to mimic the targeted devices and elevate privileges.
Microsoft elaborates, stating, “An attacker could exploit an NTLM client such as Outlook with a vulnerability that leaks NTLM credentials.”
“The compromised credentials can then be relayed to the Exchange server to gain privileges as the compromised client and execute actions on the Exchange server on behalf of the victim.
“An attacker who successfully exploits this vulnerability could relay a user’s leaked Net-NTLMv2 hash to a vulnerable Exchange Server and authenticate as the user.”
Recommend Remediation
To mitigate this threat, Exchange Server 2019 Cumulative Update 14 (CU14), which was released during the February 2024 Patch Tuesday, addresses this vulnerability by activating NTLM credentials Relay Protections (also referred to as Extended Protection for Authentication or EPA).
Microsoft is automatically enabling Windows Extended Protection on Exchange servers after installing this month’s 2024 H1 Cumulative Update (aka CU14).
Extended Protection (EP) will automatically be toggled on by default when installing Exchange Server 2019 CU14 (or later) to strengthen Windows Server auth functionality to mitigate authentication relay and man-in-the-middle (MitM) attacks.