CVE-2024-21410
Microsoft acknowledged what we already knew, that a freshly patched newly privilege escalation vulnerability, CVE-2024-21410, was being exploited. The patch was released on the 13th of Febraury and by the evening of the 15th we were seeing exploitation.
In the security advisory published by Microsoft, the advised "An attacker could target an NTLM client such as Outlook with an NTLM credentials-leaking type vulnerability, The leaked credentials can then be relayed against the Exchange server to gain privileges as the victim client and to perform operations on the Exchange server on the victim's behalf."
What this means practically, is that a successful exploitation would permit an attacker to relay a user's leaked Net-NTLMv2 hash against a susceptible Exchange Server and authenticate as the user.
We understand that Microsoft have now revised their Exploitability Assessment to "Exploitation Detected." Extended Protection for Authentication (EPA) is now enabled by default with the Exchange Server 2019 Cumulative Update 14 (CU14) update.
The root cause of the vulnerability comes from the incorrect parsing of "file://" hyperlinks. It is possible to achieve code execution by adding an exclamation mark to URLs pointing to arbitrary payloads hosted on attacker-controlled servers (e.g., "file:///\\www.xxx.yyy.zzz\file\file.rtf!do-something-naughty").
While Microsoft have lead with the leaking of the local NTLM information, it may also allow remote code execution. It may also be possible to bypass the Office Protected View when it's used as an attack vector to target other Office applications.
Microsoft's Patch Tuesday update also addresses CVE-2024-21413, another critical shortcoming affecting the Outlook email software that could result in remote code execution by trivially circumventing security measures such as Protected View.
How to fix the vulnerability
Microsoft has released Exchange Server 2019 Cumulative Update 14 (CU14), which introduces NTLM Credentials Relay Protections, also known as Extended Protection for Authentication (EPA). This enhanced security measure aims to fortify authentication mechanisms within Windows Server, thereby thwarting relay and man-in-the-middle (MitM) attacks.
For organizations utilizing Exchange Server 2019 CU14, Extended Protection will be enabled by default following the 2024 H1 Cumulative Update. However, for earlier versions of Exchange Server, administrators have the option to enable Extended Protection using the ExchangeExtendedProtectionManagement PowerShell script provided by Microsoft.
Administrators can utilize the ExchangeExtendedProtectionManagement script to automate the configuration of Extended Protection features on Exchange Servers. This script ensures that all servers meet the necessary prerequisites for successful implementation.
ExchangeExtendedProtectionManagement Script Usage
1. Enable Extended Protection on all Exchange Servers:
2. Enable Extended Protection on specific Exchange Servers:
3. Collect IP addresses for IP restriction:
4. Enable IP restriction for specific virtual directories:
Parameters
Find Peace with SOC365
Defend against Cyber Attacks
Report on Cyber Success