Microsoft Warns of Critical Exchange Server Bug Exploited as Zero-Day

February 14, 2024

Microsoft has updated its security advisory to warn about a critical vulnerability in Exchange Server, identified as CVE-2024-21410. The flaw was exploited as a zero-day before a fix was issued during this month's Patch Tuesday. The vulnerability was discovered internally and allows remote unauthenticated threat actors to escalate privileges in NTLM relay attacks targeting vulnerable Microsoft Exchange Server versions.

In these attacks, the threat actor manipulates a network device, including servers or domain controllers, to authenticate against an NTLM relay server they control. This allows them to impersonate the targeted devices and elevate privileges. Microsoft explains: "An attacker could target an NTLM client such as Outlook with an NTLM credentials-leaking type vulnerability. The leaked credentials can then be relayed against the Exchange server to gain privileges as the victim client and to perform operations on the Exchange server on the victim's behalf."

The vulnerability could allow an attacker to relay a user's leaked Net-NTLMv2 hash against a vulnerable Exchange Server and authenticate as the user. The Exchange Server 2019 Cumulative Update 14 (CU14) addresses this vulnerability by enabling NTLM credentials Relay Protections, also known as Extended Protection for Authentication (EPA). EPA is designed to strengthen Windows Server authentication functionality by mitigating authentication relay and man-in-the-middle attacks.

Microsoft has announced that Extended Protection (EP) will be automatically enabled by default on all Exchange servers after installing this month's 2024 H1 Cumulative Update (CU14). Administrators can use the ExchangeExtendedProtectionManagement PowerShell script to activate EP on previous versions of Exchange Server, such as Exchange Server 2016, to protect their systems against attacks targeting devices unpatched against CVE-2024-21410.

Before enabling EP on their Exchange servers, administrators are advised to evaluate their environments and review the issues mentioned in Microsoft's documentation for the EP toggle script to avoid breaking functionality. Microsoft also mistakenly tagged a critical Outlook remote code execution (RCE) vulnerability (CVE-2024-21413) as exploited in attacks before being fixed during this month's Patch Tuesday.

Related News

Latest News

Like what you see?

Get a digest of headlines, vulnerabilities, risk context, and more delivered to your inbox.

Subscribe Below

By submitting this form, you’re giving us permission to email you. You may unsubscribe at any time.

Accelerate Security Teams

Continuously identify and prioritize the risks that are most critical in your environment, and validate that your remediation efforts are reducing risk. An always-on single source-of-truth of your assets, services, and vulnerabilities.