Microsoft has recently identified and raised concern regarding one of the critical vulnerabilities in Exchange Server, a piece of email software used by many organizations. What was initially flagged as a critical severity bug (9.1 on the 10-point CVSS scale), was later revised to be a zero-day threat with potential active exploitation by attackers. The vulnerability, CVE-2024-21410, is an elevation of privilege vulnerability that allows remote, unauthenticated attackers to access Windows NT Lan Manager (NTLM) hashes, essentially allowing them to pose as legitimate users on Exchange Server.
Microsoft had initially addressed the bug in a Patch Tuesday update, releasing a fix on February 13. However, the company revised its advisory for the flaw on the 14th, stating that they had observed exploit activity in the wild. The company’s revision makes CVE-2024-21410 one of three zero-day bugs that Microsoft has disclosed this month, with the others being CVE-2024-21412 and CVE-2024-21351.
CVE-2024-21410 poses a risk to Exchange Server 2019 specifically, as versions prior to the February 13 update do not enable NTLM relay protections by default. Microsoft has released a cumulative update that rectifies this, providing users with protection. Attackers are likely to find a significant number of vulnerable Exchange Servers to target and are likely to find and exploit vulnerable systems with little difficulty.
Organizations using previous versions of Exchange Server 2019 will need to ensure that they have activated Extended Protection for Authentication (EPA) alongside installing the latest cumulative update. It is also advised to pay careful attention to the details regarding the update, as there are specific scenarios and system configurations where enabling Extended Protection may not be supported and may disrupt existing functionality.
The use of the pass-the-hash method for lateral movement purposes is quite common among attackers. This method involves stealing a user’s NTLM hash from one computer and using it to access another system without having the user’s password. This tactic was utilized by Russia’s Fancy Bear APT group in 2023 in a series of information-stealing attacks.
In light of this new threat, organizations are urged to review the newly identified zero-day vulnerability and take appropriate actions to update their Exchange Server security to protect against potential exploits. As with any security update, thorough testing is advised prior to implementation to ensure that the update does not disrupt existing operations. It’s also vital for administrators to be aware of the potential impact of deploying such patches and to take necessary precautions to safeguard their systems.