February 15, 2024 at 04:34PM
Microsoft identified a critical vulnerability in Exchange Server disclosed in February as a zero-day threat already being exploited. The flaw (CVE-2024-21410) permits attackers to disclose and relay Windows NT Lan Manager hashes, impersonating legitimate users. Microsoft revised its advisory, flagging the exploit as a zero-day. A cumulative update (CU14) protects against this threat. Organizations should activate Extended Protection (EPA) to safeguard vulnerable servers.
Key takeaways from the meeting notes:
– Microsoft has discovered a critical vulnerability in Exchange Server that had initially been flagged as a zero-day threat being actively exploited by attackers. This vulnerability, known as CVE-2024-21410, allows for an elevation of privilege, giving attackers the ability to relay Windows NT Lan Manager (NTLM) hashes and impersonate legitimate users on Exchange Server.
– The bug was rated as a critical severity (9.1 on the 10-point CVSS scale) by Microsoft. It was initially not identified as a zero-day threat when the fix was released, but the company later revised its advisory after observing exploit activity in the wild.
– The vulnerability affects Exchange Server 2019 versions prior to the Feb. 13 update, which did not have NTLM relay protections enabled by default. The update, labeled as the 2024 H1 Cumulative Update (CU) for Exchange Server 2019 (or CU14), includes these protections and is crucial for safeguarding against the threat from CVE-2024-21410.
– It is important for organizations using earlier versions of Exchange Server 2019 to activate Extended Protection for Authentication (EPA) alongside installing the latest cumulative update to ensure protection.
– Administrators need to carefully review Microsoft’s EP documentation and thoroughly test the update before applying it, as there are various considerations and potential issues related to enabling Extended Protection on Exchange Servers.
– The tactic of pass-the-hash attacks is a major concern, as attackers can use stolen NTLM hashes to authenticate as legitimate users on target systems without knowing the users’ passwords. Additionally, similar flaws have been exploited in the past by threat groups such as Russia’s Fancy Bear.
These takeaways summarize the critical nature of the vulnerability, the importance of the CU14 update for Exchange Server 2019, and the necessary precautions and considerations for administrators in implementing the necessary protections against the identified threats.