In a recent revelation, Microsoft has identified a critical vulnerability in Exchange Server, initially disclosed in February’s Patch Tuesday update, as a zero-day threat already being actively exploited by attackers. The vulnerability in question, CVE-2024-21410, is an elevation of privilege flaw that allows a remote, unauthenticated attacker to disclose and relay Windows NT Lan Manager (NTLM) hashes. This exploit enables the attacker to impersonate legitimate users on Exchange Server, facilitating pass-the-hash attacks.
Bug Enables Pass-the-Hash Attacks:
Although Microsoft initially assessed the bug’s severity as critical (9.1 on the 10-point CVSS scale), it did not categorize it as a zero-day vulnerability when releasing the fix. However, the company revised its advisory on Wednesday, acknowledging active exploit activity in the wild. CVE-2024-21410 now joins two other zero-day bugs disclosed in the same month: CVE-2024-21412, a security feature bypass flaw exploited by the threat actor Water Hydra; and CVE-2024-21351, a SmartScreen bypass vulnerability.
Details of CVE-2024-21410:
According to Microsoft, this elevation of privilege vulnerability allows attackers to target an NTLM client, such as Outlook, in a credential-leaking attack. The leaked credentials can then be relayed against the Exchange server, granting privileges to the attacker as the victim client, enabling operations on the Exchange server on the victim’s behalf.
The issue arises in versions of Exchange Server 2019 prior to the Feb. 13 update, where NTLM relay protections (Extended Protection for Authentication – EPA) were not enabled by default. Without this protection, attackers can relay leaked NTLM credentials from targets like Outlook to Exchange Server.
Mitigation Measures:
The Feb. 13 update, known as the 2024 H1 Cumulative Update (CU) for Exchange Server 2019 (CU14), addresses this vulnerability by enabling NTLM relay protections by default. Users who implement this update are protected against the threat from CVE-2024-21410. Administrators are advised to activate EPA alongside installing the latest cumulative update for Exchange Server 2019 prior to CU14.
Understanding Pass-the-Hash Attacks:
The exploitation of this vulnerability highlights the risk of pass-the-hash attacks, a method often employed by attackers for lateral movement. By stealing a user’s NTLM hash from one computer, attackers can access another computer, in this case, an Exchange Server, without knowing the user’s password.
In conclusion, organizations must act swiftly to implement the necessary updates and protections to safeguard their Exchange Servers from potential exploitation. Thorough testing, careful consideration of environmental factors, and adherence to Microsoft’s guidelines on EP implementation are critical steps in fortifying against this zero-day threat.
Stay informed and stay secure!
[CyberSafe@Hackinbox ~]#