CISA Warns of Active Exploitation Cisco and Microsoft Exchange Vulnerability
The Cybersecurity and Infrastructure Security Agency (CISA) of the United States flagged an alert, adding two vulnerabilities to the catalog of “Known Exploited Vulnerabilities (KEV),” which showed a call for urgent attention. CVE-2024-21410 and CVE-2020-3259, respectively. Both are critical vulnerabilities, highlighting the ongoing battle between cybersecurity defenses and the evolving tactics of threat actors.
CVE-2024-21410 stands out due to its high severity score of 9.8, indicating its critical nature. This vulnerability allows remote, unauthenticated attackers to escalate privileges through NTLM relay attacks on vulnerable Microsoft Exchange Server versions. In these attacks, a threat actor can force a network device, such as servers or domain controllers, to authenticate against an NTLM relay server under their control. This enables them to impersonate the targeted devices and elevate privileges significantly.
Microsoft’s explanation sheds light on the mechanics of the attack: “An attacker could target an NTLM client such as Outlook with an NTLM credentials-leaking type vulnerability. The leaked credentials can then be relayed against the Exchange server to gain privileges as the victim client and to perform operations on the Exchange server on the victim’s behalf.” Successfully exploiting this vulnerability allows an attacker to relay a user’s leaked Net-NTLMv2 hash against a vulnerable Exchange Server, authenticating as the user and potentially wreaking havoc.
The second vulnerability, CVE-2020-3259, with a CVSS score of 7.5, targets the web services interface of Cisco Adaptive Security Appliance (ASA) Software and Cisco Firepower Threat Defense (FTD) Software. This flaw permits an unauthenticated, remote attacker to retrieve memory contents from an affected device, posing a significant risk of confidential information disclosure. The vulnerability stems from a buffer tracking issue when parsing invalid URLs requested from the web services interface. An attacker exploiting this vulnerability through a crafted GET request could potentially access memory contents, leading to the disclosure of sensitive information.
In response to these actively exploited vulnerabilities, CISA has urged federal agencies to apply the necessary fixes by March 7, 2024, to safeguard their networks from potential threats. This situation underscores the critical importance of staying vigilant and responsive to cybersecurity alerts, as vulnerabilities can be exploited to compromise systems and access sensitive data.