[German]On February 13, 2024, a critical vulnerability CVE-2024-21410 in Microsoft Exchange Server became public. The Elevation of Privilege vulnerability has a CVEv3 score of 9.8 and is likely to be exploited (soon). Security authorities are warning about this vulnerability. However, there was confusion among the blog readership because as of February 13, there was only CU 14 for Exchange Server 2019, which does not explicitly close the vulnerability. What about Exchange Server 2016 and what do I need to do to be protected against CVE-2024-21410? Here is a review with a rough outline.
Advertising
The vulnerability CVE-2024-21410
I pointed out the Microsoft Exchange Server Elevation of Privilege vulnerability CVE-2024-21410 in the blog post Microsoft Security Update Summary (February 13, 2024) from February 13, 2024. The vulnerability is classified as critical with a CVEv3.1 score of 9.8. Microsoft has since stated that attacks are taking place. Successful exploitation of this vulnerability allows an attacker to forward a New Technology LAN Manager Version 2 (NTLMv2) hash against a vulnerable server. NTLM hashes could be abused in NTLM relay or pass-the-hash attacks to strengthen an attacker's position in an organization.
German CERT BSI warnshas now been issued against this critical vulnerability, after Microsoft added the note that the vulnerability is already being actively exploited. The vulnerability allows external attackers in connection with potential further vulnerabilities in NTLM clients (such as Outlook) to authenticate themselves to a vulnerable Exchange Server with stolen Net-NTLMv2 hash values and perform actions with the authorizations of the original victim. inzwischen vor dieser kritischen Schwachstelle, nachdem Microsoft den Hinweis, dass die Sicherheitslücke bereits aktiv ausgenutzt wird, ergänzt hat. Die Schwachstelle ermöglicht es externen Angreifenden im Zusammenhang mit potenziellen weiteren Verwundbarkeiten in NTLM-Clients (wie Outlook), sich mit entwendeten Net-NTLMv2-Hashwerten bei einem verwundbaren Exchange Server zu authentifizieren und Aktionen mit den Berechtigungen des ursprünglichen Opfers durchzuführen.
Protecting the Exchange Server
When I wrote the posts on Feb. patchday, it was still unclear (to me) how to protect Exchange servers. As of February 13, 2024, there was only a cumulative update (CU 14) for Exchange Server 2019, which did not contain a patch against the vulnerability. It is now clear that the protection works differently and that Exchange Server 2016 can also be protected.
- These NTLM relay attacks mentioned above can be prevented by the Exchange Server protection function Extended Protection (EP), also known as Extended Protection for Authentication (EPA), which has been available since fall 2022.
- The CU14 update for Exchange Server 2019 activates Extended Protection (EP) by default, so the server in question is then protected. Without CU 14, Extended Protection must be explicitly activated on Exchange 2019.
- For Exchange Server 2016, the CU23 (from April 2022) and the security update from August 2022 must be installed, as support for Extended Protection was introduced there as an optional function. Extended Protection must then be activated
Further details can be found in the support article for CVE-2024-21410 and in this Exchange blog post.
Possible problems
At this point the reference to this German comment from Edmund, whose clients can no longer connect to Outlook via MAPI/RPC over https. He is always prompted to enter user/password, even with correct data no login possible. In a follow-up comment, the reader suggests certificate problems.
Advertising
Similar articles:
Office: Project Update KB5002530 (February 6, 2024)
Microsoft Security Update Summary (February 13, 2024)
Patchday: Windows 10 Updates (February 13, 2024)
Patchday: Windows 11/Server 2022 Updates (February 13, 2024)
Windows 7/Server 2008 R2; Server 2012 R2: Updates (February 13, 2024)
Microsoft Office Updates (February 13, 2024)
Exchange Server Cumulative Update CU 14 (February 13, 2024)
Warning about critical Outlook RCE vulnerability CVE-2024-21413
Advertising
