CVE-2024-21410 (CVSS 9.8): Microsoft Exchange Server Flaw is Actively Exploited
Microsoft has sounded the alarm on a critical security vulnerability within the Exchange Server (CVE-2024-21410, CVSS 9.8) that has already been exploited in the wild before this month’s Patch Tuesday fixes. This flaw offers remote, unauthenticated threat actors a pathway to privilege escalation through NTLM relay attacks.
This vulnerability targets weaknesses in the NTLM protocol. Attackers can leverage NTLM credential leaks on clients (e.g., Outlook) and relay these credentials against vulnerable Exchange Servers, effectively impersonating the targeted user. Successful exploitation grants attackers elevated privileges, paving the way for further malicious activity.
“An attacker could target an NTLM client such as Outlook with an NTLM credentials-leaking type vulnerability,” Microsoft explains.
“The leaked credentials can then be relayed against the Exchange server to gain privileges as the victim client and to perform operations on the Exchange server on the victim’s behalf.”
“An attacker who successfully exploited this vulnerability could relay a user’s leaked Net-NTLMv2 hash against a vulnerable Exchange Server and authenticate as the user.”
Recognizing the gravity of the situation, Microsoft’s countermeasure came in the form of the Exchange Server 2019 Cumulative Update 14 (CU14), which introduced NTLM credentials Relay Protections, a safeguard known as Extended Protection for Authentication (EPA).
If you have servers that currently do not meet the prerequisites for EP, please see the following table:
| Scenario that does not support EP | Action to take |
| SSL Offloading for Outlook Anywhere | SSL Offloading for Outlook Anywhere must be disabled. If Extended Protection is enabled via Exchange Server CU14, the installer will take care of disabling SSL Offloading for Outlook Anywhere. |
| SSL Offloading on Load Balancer | SSL Offloading is not supported. Use SSL bridging instead with the same SSL certificate as on Exchange Server IIS front end. |
| Public folders hosted on Exchange Server 2013, 2016 CU22 (or older) or 2019 CU11 (or older) | Move all Public folders to currently supported versions, decommission Exchange Server 2013 which is out of support. Check this table for your Public Folder scenario. |
| Modern Hybrid agent is used to publish Exchange Server to the internet in hybrid scenario | Identify the Exchange Servers which are published via Modern Hybrid agent, by following the steps outlined in this section of documentation.
On these servers, run Exchange Server CU14 setup in unattended mode and use the /DoNotEnableEP_FEEWS switch to not enable Extended Protection on the EWS front end virtual directory. |
Administrators with Exchange Server 2016 can deploy EP using the ExchangeExtendedProtectionManagement PowerShell script provided by Microsoft.
Before enabling EP, administrators must thoroughly evaluate their environments due to potential compatibility issues with certain features. A careful review of Microsoft’s documentation on the EP toggle script is essential to prevent disruptions.
