Home / Cyber Security Insights

 was posted in 
Peter Bassill
February 17, 2024

Microsoft acknowledged what we already knew, that a freshly patched newly privilege escalation vulnerability, CVE-2024-21410, was being exploited. The patch was released on the 13th of Febraury and by the evening of the 15th we were seeing exploitation.

In the security advisory published by Microsoft, the advised "An attacker could target an NTLM client such as Outlook with an NTLM credentials-leaking type vulnerability, The leaked credentials can then be relayed against the Exchange server to gain privileges as the victim client and to perform operations on the Exchange server on the victim's behalf."

What this means practically, is that a successful exploitation would permit an attacker to relay a user's leaked Net-NTLMv2 hash against a susceptible Exchange Server and authenticate as the user.

We understand that Microsoft have now revised their Exploitability Assessment to "Exploitation Detected." Extended Protection for Authentication (EPA) is now enabled by default with the Exchange Server 2019 Cumulative Update 14 (CU14) update.

The root cause of the vulnerability comes from the incorrect parsing of "file://" hyperlinks.  It is possible to achieve code execution by adding an exclamation mark to URLs pointing to arbitrary payloads hosted on attacker-controlled servers (e.g., "file:///\\\file\file.rtf!do-something-naughty").

While Microsoft have lead with the leaking of the local NTLM information, it may also allow remote code execution. It may also be possible to bypass the Office Protected View when it's used as an attack vector to target other Office applications.

Microsoft's Patch Tuesday update also addresses CVE-2024-21413, another critical shortcoming affecting the Outlook email software that could result in remote code execution by trivially circumventing security measures such as Protected View.

How to fix the vulnerability

Microsoft has released Exchange Server 2019 Cumulative Update 14 (CU14), which introduces NTLM Credentials Relay Protections, also known as Extended Protection for Authentication (EPA). This enhanced security measure aims to fortify authentication mechanisms within Windows Server, thereby thwarting relay and man-in-the-middle (MitM) attacks.

For organizations utilizing Exchange Server 2019 CU14, Extended Protection will be enabled by default following the 2024 H1 Cumulative Update. However, for earlier versions of Exchange Server, administrators have the option to enable Extended Protection using the ExchangeExtendedProtectionManagement PowerShell script provided by Microsoft.

Administrators can utilize the ExchangeExtendedProtectionManagement script to automate the configuration of Extended Protection features on Exchange Servers. This script ensures that all servers meet the necessary prerequisites for successful implementation.

ExchangeExtendedProtectionManagement Script Usage

1. Enable Extended Protection on all Exchange Servers:

PS C:\> .\ExchangeExtendedProtectionManagement.ps1

2. Enable Extended Protection on specific Exchange Servers:

PS C:\> .\ExchangeExtendedProtectionManagement.ps1 -ExchangeServerNames

3. Collect IP addresses for IP restriction:

PS C:\> .\ExchangeExtendedProtectionManagement.ps1 -FindExchangeServerIPAddresses -OutputFilePath "C:\temp\ExchangeIPs.txt"

4. Enable IP restriction for specific virtual directories:

PS C:\> .\ExchangeExtendedProtectionManagement.ps1 -RestrictType "EWSBackend" -IPRangeFilePath "C:\temp\ExchangeIPs.txt"


ExchangeServerNamesA list of servers to pass that you want to run the script against. This can be used for configuration or rollback.
SkipExchangeServerNamesA list of server to pass that you don't want to execute the script for configuration or rollback.
ShowExtendedProtectionShow the current configuration of Extended Protection for the passed server list.
ExcludeVirtualDirectoriesUsed to not enable Extended Protection on particular virtual directories. The following values are allowed: EWSFrontEnd.
FindExchangeServerIPAddressesUse this to collect a list of the Exchange Server IPs that should be used for IP Restriction.
OutputFilePathIs a custom file path to be used to export the list of Exchange Server IPs collected from FindExchangeServerIPAddresses. Default value is the local location IPList.txt.
IPRangeFilePathIs the path to the file that contains all the IP Addresses or subnets that are needed to be in the IP Allow list for Mitigation.v
RestrictTypeTo enable a IP Restriction on a virtual directory. Must be used with IPRangeFilePath. The following values are allowed: EWSBackend
ValidateTypeTo verify if the IP Restrictions have been applied correctly. Must be used with IPRangeFilePath. The following values are allowed: RestrictTypeEWSBackend
RollbackTypeUsing this parameter will allow you to rollback using the type you specified. The following values are allowed: RestoreIISAppConfig, RestrictTypeEWSBackend, RestoreConfiguration
DisableExtendedProtectionUsing this parameter will disable extended protection for the servers you specify. This is done by setting all the configured locations back to None regardless of what the original value was set to prior to configuration or if it was enabled by default.
SkipAutoUpdateSkips over the Auto Update feature to download the latest version of the script.

Find Peace with SOC365

Defend against Cyber Attacks
Report on Cyber Success

By clicking Sign Up you're confirming that you agree with our Terms and Conditions.
Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.
AirSwift Template Image