February 14, 2024 at 06:29PM
Microsoft has warned of a critical vulnerability in Exchange Server, CVE-2024-21410, allowing remote unauthenticated threat actors to escalate privileges. The company has released Exchange Server 2019 Cumulative Update 14 to address this and enable NTLM credentials Relay Protections. Admins are advised to evaluate their environments before toggling EP on Exchange servers.
Key Takeaways from Meeting Notes:
– Microsoft released an updated security advisory disclosing a critical vulnerability (CVE-2024-21410) in Exchange Server that was exploited as a zero-day before being addressed in this month’s Patch Tuesday.
– The vulnerability allows remote unauthenticated threat actors to escalate privileges in NTLM relay attacks targeting vulnerable Microsoft Exchange Server versions.
– In these attacks, threat actors can use NTLM relay servers to impersonate targeted devices and elevate privileges by forcing a network device to authenticate against the relay server.
– An attacker could exploit the vulnerability to relay a user’s leaked Net-NTLMv2 hash against a vulnerable Exchange Server and authenticate as the user, gaining privileges to perform operations on the Exchange server on the victim’s behalf.
– Exchange Server 2019 Cumulative Update 14 (CU14) addresses this vulnerability by enabling NTLM credentials Relay Protections (EP), which is automatically enabled by default on all Exchange servers after installing this month’s 2024 H1 Cumulative Update.
– Admins can use the ExchangeExtendedProtectionManagement PowerShell script to activate EP on previous versions of Exchange Server, such as Exchange Server 2016, to protect systems against attacks targeting unpatched devices.
– Before toggling EP on their Exchange servers, administrators should evaluate their environments and review the issues mentioned in Microsoft’s documentation for the EP toggle script to avoid breaking functionality.
– Microsoft also mistakenly tagged a critical Outlook remote code execution (RCE) vulnerability (CVE-2024-21413) as exploited in attacks before being addressed in this month’s Patch Tuesday.