Microsoft Warns About New Zero-Day Exchange Server Privilege Escalation Vulnerability

Cloud Computing

Key Takeaways:

  • Microsoft has identified a zero-day flaw in Exchange Server that lets remote hackers relay Windows NT Lan Manager (NTLM) hashes to impersonate legitimate users.
  • Microsoft released a new Cumulative Update for Exchange Server 2019 to address the security vulnerability.
  • The latest update enables the Extended Protection feature by default in Exchange Server 2019 to block man-in-the-middle (MitM) attacks.

Microsoft has released an advisory regarding a critical vulnerability in Exchange Server. The company disclosed this zero-day flaw in the February 2024 Patch Tuesday updates and cautioned that it is currently being actively exploited in the wild.

The security vulnerability, tracked as CVE-2024-21410, could allow hackers to relay NT LAN Manager (NTLM) hashes and impersonate legitimate users. The vulnerability is a privilege escalation flaw, and it has received a CVSS score of 9.8. NTLM relay attacks let cybercriminals steal hashed versions of user passwords to gain unauthorized access to corporate resources.

“An attacker could target an NTLM client such as Outlook with an NTLM credentials-leaking type vulnerability. The leaked credentials can then be relayed against the Exchange server to gain privileges as the victim client and to perform operations on the Exchange server on the victim’s behalf,” the Exchange team explained.

Microsoft enables Exchange Server Extended Protection to block NTLM relay attacks

Microsoft released the Cumulative Update 14 (CU14) update to address the CVE-2024-21410 vulnerability on all Exchange Server 2019 machines. This release enables NTLM relay protections or Extended Protection for Authentication (EPA) by default.

Exchange Server Extended Protection is a security feature that enhances the existing authentication functionality to mitigate authentication relay and man-in-the-middle attacks. Previously, IT admins had to enable the EP feature in Exchange Server environments manually. However, Microsoft has now enabled the feature by default for all Exchange Server 2019 customers.

Microsoft says that administrators can use the ExchangeExtendedProtectionManagement PowerShell script to enable the EP feature in older versions of Exchange Server. It should help organizations to boost protection against credential theft and potential MitM attacks. However, IT admins are highly recommended to conduct proper testing before deploying the update on Exchange Servers.

It is important to note that Extended Protection uses only NTLMv2 and TLS 1.2 and higher versions. Additionally, the feature won’t work in environments that use SSL offloading. Microsoft advises organizations to thoroughly review the complete list of issues mentioned in this support document to prevent any disruptions in their workflows.