Microsoft has identified one of the critical vulnerabilities in Exchange Server that the company disclosed in February’s Patch Tuesday update as a zero-day threat that attackers are already actively exploiting.
CVE-2024-21410 is an elevation of privilege vulnerability that gives a remote, unauthenticated attacker a way to disclose and then forward Windows NT Lan Manager (NTLM) hashes to impersonate legitimate users on Exchange Server.
Bug-enabled Pass-the-Hash attacks
Microsoft had rated the bug as critical in severity (9.1 on the 10-point CVSS scale) but did not initially mark it as a zero-day when it released a fix on Tuesday. The company revised its advisory about the flaw on Wednesday to a note about observing exploit activity in the wild, but without providing other details.
The company’s review makes CVE-2024-2140 one of three zero-day bugs that Microsoft revealed this month. The other two are CVE-2024-21412a security feature that bypasses the flaw that a threat actor called Water Hydra (also known as Dark Casino) is used in attacks against financial traders; AND CVE-2024-21351a SmartScreen bypass vulnerability.
According to Microsoft, CVE-2024-21410 allows an attacker to target an NTLM client such as Outlook in an NTLM credential leak attack. “The leaked credentials can then be forwarded to the Exchange server to gain privileges as a victim client and perform operations on the Exchange server on behalf of the victim,” Microsoft said.
The issue in the case of CVE-2024-21410 has to do with versions of Exchange Server 2019 prior to the February 13 update not enabling NTLM relay protections – or Extended Authentication Protection (EPA) – for default setting. Without such protection, an attacker can forward leaked NTLM credentials from targets such as Outlook to Exchange Server, Microsoft said.
Cumulative update
The February 13 update, Cumulative Update (CU) 2024 H1 for Exchange Server 2019 (or CU14), enables this protection by default, which means that users who implement it are protected from the CVE-2024-21410 threat . Microsoft has released a Exchange blog posts for more information about the update and its protections against various threats.
Mayuresh Dani, head of security research at Qualys Threat Research Labs, says attackers likely won’t have trouble finding vulnerable Exchange servers to target. “By my last count, there were more than 200,000 Microsoft Exchange devices currently exposed to the public,” says Dani. “Surveying them using automation would take a few hours to get a list of affected systems.”
Mike Walters, president and CEO of Action1, says that organizations using versions of Exchange Server 2019 prior to CU14 will need to ensure they have EPA enabled in addition to installing the latest cumulative update. He says: “Administrators can also use the ExchangeExtendedProtectionManagement PowerShell script to enable EP in older versions of Exchange Server, such as Server 2016, which will also protect systems from attacks that target devices missing the CVE-2024-21410 patches .”
Pay attention to details
Before enabling EP on Exchange servers, however, administrators should evaluate their environment and review the issues that Microsoft has identified in the EP documentation to avoid breaking existing functionality, Walters advises.
“Administrators should be aware that EP only uses NTLMv2 and TLS 1.2 and later,” he says. Another consideration is the fact that extended protection is not supported in environments that use SSL offloading. Likewise, under certain circumstances organizations cannot enable extended protection on Exchange Server 2013, Exchange Server 2016 CU22, Exchange Server 2019 CU11, or earlier servers, and Exchange servers published with the Hybrid Agent.
“Additional issues are described on the Microsoft support website, and you need to be prepared to deal with them,” Walters says. “This update must be fully tested before implementation.” Organizations shouldn’t even try to apply the update without proper testing, she adds.
Attackers often use the so-called pass-the-hash method for lateral movement purposes. The tactic predicts steal a user’s NTLM hash from a computer and use it to log in to another computer, in this case an Exchange Server. One of its main advantages is that the tactic allows users to authenticate as a legitimate user on a target system without knowing the user’s password.
In 2023, the Russian advanced persistent threat group Fancy Bear (also known as Forest Blizzard and APT28) took advantage of a similar flaw (tracked as CVE-2023-23397) in a wave of information theft attacks which targeted Middle Eastern governments and several NATO countries. Microsoft has a resource dedicated to pass-the-hash attacks for organizations that want to learn more about the attack vector.