CVE-2024-21410: Critical Exchange Server Flaw Under Attack

In a recent security update, Microsoft disclosed a critical vulnerability in the Exchange Server that had been actively exploited in the wild before its remediation on February Patch Tuesday.

The vulnerability, tracked as CVE-2024-21410 and assigned a CVSS score of 9.8, allows a remote, unauthenticated attacker to escalate privileges in NTLM Relay attacks targeting vulnerable Microsoft Exchange Server installations. In such attacks, the attacker compels a network device, such as a server or domain controller, to authenticate against an NTLM Relay server under their control. This allows the attacker to impersonate the targeted devices and elevate their privileges.

According to Microsoft, an attacker could target an NTLM client, such as Outlook, by exploiting a vulnerability that leaks NTLM credentials. The attacker could then relay the leaked credentials against the Exchange server to gain privileges as the victim client and perform operations on the Exchange server on the victim’s behalf.

To mitigate against such attacks, Microsoft has introduced the Extended Protection for Authentication (EPA) mechanism, which was made available with the Cumulative Update 14 (CU14) update for Exchange Server 2019. The EPA feature is designed to bolster Windows Server authentication functionality by mitigating NTLM Relay and MitM (Man-in-the-Middle) attacks. Microsoft has also announced that EPA will be automatically enabled by default on all Exchange servers after installing the CU14 update.

Administrators can use the ExchangeExtendedProtectionManagement PowerShell script to enable EPA on previous versions of Exchange Server to protect against attacks exploiting CVE-2024-21410.