{"id":33250,"date":"2024-02-16T00:01:17","date_gmt":"2024-02-15T23:01:17","guid":{"rendered":"http:\/\/159.69.82.204\/win\/?p=33250"},"modified":"2024-02-15T22:27:01","modified_gmt":"2024-02-15T21:27:01","slug":"follow-up-on-cu-14-for-exchange-2019-and-vulnerability-cve-2024-21410-feb-2024","status":"publish","type":"post","link":"https:\/\/borncity.com\/win\/2024\/02\/16\/follow-up-on-cu-14-for-exchange-2019-and-vulnerability-cve-2024-21410-feb-2024\/","title":{"rendered":"Follow-up on CU 14 for Exchange 2019 and vulnerability CVE-2024-21410 (Feb. 2024)"},"content":{"rendered":"

\"Exchange[German<\/a>]On February 13, 2024, a critical vulnerability CVE-2024-21410 in Microsoft Exchange Server became public. The Elevation of Privilege vulnerability has a CVEv3 score of 9.8 and is likely to be exploited (soon). Security authorities are warning about this vulnerability. However, there was confusion among the blog readership because as of February 13, there was only CU 14 for Exchange Server 2019, which does not explicitly close the vulnerability. What about Exchange Server 2016 and what do I need to do to be protected against CVE-2024-21410? Here is a review with a rough outline.<\/p>\n

<\/p>\n

The vulnerability CVE-2024-21410<\/h2>\n

\"\"I pointed out the Microsoft Exchange Server Elevation of Privilege vulnerability CVE-2024-21410<\/a> in the blog post Microsoft Security Update Summary (February 13, 2024)<\/a> from February 13, 2024. The vulnerability is classified as critical with a CVEv3.1 score of 9.8. Microsoft has since stated that attacks are taking place. Successful exploitation of this vulnerability allows an attacker to forward a New Technology LAN Manager Version 2 (NTLMv2) hash against a vulnerable server. NTLM hashes could be abused in NTLM relay or pass-the-hash attacks to strengthen an attacker's position in an organization.<\/p>\n

German CERT BSI warns<\/a>has now been issued against this critical vulnerability, after Microsoft added the note that the vulnerability is already being actively exploited. The vulnerability allows external attackers in connection with potential further vulnerabilities in NTLM clients (such as Outlook) to authenticate themselves to a vulnerable Exchange Server with stolen Net-NTLMv2 hash values and perform actions with the authorizations of the original victim.\u00a0inzwischen vor dieser kritischen Schwachstelle, nachdem Microsoft den Hinweis, dass die Sicherheitsl\u00fccke bereits aktiv ausgenutzt wird, erg\u00e4nzt hat. Die Schwachstelle erm\u00f6glicht es externen Angreifenden im Zusammenhang mit potenziellen weiteren Verwundbarkeiten in NTLM-Clients (wie Outlook), sich mit entwendeten Net-NTLMv2-Hashwerten bei einem verwundbaren Exchange Server zu authentifizieren und Aktionen mit den Berechtigungen des urspr\u00fcnglichen Opfers durchzuf\u00fchren.<\/p>\n

Protecting the Exchange Server<\/h2>\n

When I wrote the posts on Feb. patchday, it was still unclear (to me) how to protect Exchange servers. As of February 13, 2024, there was only a cumulative update (CU 14) for Exchange Server 2019, which did not contain a patch against the vulnerability. It is now clear that the protection works differently and that Exchange Server 2016 can also be protected.<\/p>\n