Skip to content

Microsoft fortifies Exchange Server against zero-day exploits

  • by
  • 2 min read

Microsoft has highlighted a critical vulnerability in the Exchange Server that had been exploited as a zero-day in an updated security advisory. Tracked as CVE-2024-21410, this security flaw allowed remote unauthenticated threat actors to escalate privileges in NTLM relay attacks targeting vulnerable versions of Microsoft Exchange Server.

In NTLM relay attacks, threat actors compel network devices, including servers or domain controllers, to authenticate against an NTLM relay server under their control. This enables them to impersonate targeted devices and elevate privileges within the system.

To address this vulnerability, Microsoft introduced the Exchange Server 2019 Cumulative Update 14 (CU14), which enables NTLM credentials Relay Protections, also known as Extended Protection for Authentication (EPA). Extended Protection is designed to strengthen Windows Server authentication functionality by mitigating authentication relay and man-in-the-middle attacks.

“An attacker who successfully exploited this vulnerability could relay a user’s leaked Net-NTLMv2 hash against a vulnerable Exchange Server and authenticate as the user,” explains Microsoft.

Microsoft confirmed that the Extended Protection (EP) will be automatically enabled by default on all Exchange servers after installing this month’s 2024 H1 Cumulative Update, commonly referred to as CU14.

Microsoft has recently patched 73 vulnerabilities including two zero-days.

Administrators who are using previous versions of Exchange Server, such as Exchange Server 2016, can utilise the ExchangeExtendedProtectionMangement PowerShell script to activate EP and protect their systems against attacks targeting devices unpatched against CVE-2024-21410.

However, Microsoft has advised administrators to carefully evaluate their environments and review the issues outlined in Microsoft’s documentation for the EP toggle script before enabling EP on their Exchange servers. This precaution is crucial to avoid potential functionality breaks that may occur post-implementation.

For those, who already ran the script, Microsoft has this to say “If, for example, you are running Exchange Server 2019 CU13 or earlier and you have previously run the script then you are protected from this vulnerability, however, Microsoft strongly suggests installing the latest cumulative update.”

Microsoft recently patched two zero-days and five critical vulnerabilities in the Patch Tuesday for February 2024.

In the News: OpenAI tests memory feature that allows AI to retain information

Kumar Hemant

Kumar Hemant

Deputy Editor at Candid.Technology. Hemant writes at the intersection of tech and culture and has a keen interest in science, social issues and international relations. You can contact him here: kumarhemant@pm.me

>