Microsoft has identified one of the critical vulnerabilities in Exchange Server that the company disclosed in February's Patch Tuesday update as actually being a zero-day threat that attackers are already actively exploiting.
CVE-2024-21410 is an elevation of privilege vulnerability that gives a remote, unauthenticated attacker a way to disclose and then relay Windows NT Lan Manager hashes to impersonate legitimate users on Exchange Server.
Bug Enabled Pass-the-Hash Attacks Microsoft had assessed the bug as being of critical severity but initially did not flag it as a zero-day when releasing a fix for it Tuesday.
The company revised its advisory for the flaw on Wednesday with a note about observing exploit activity in the wild but providing no other details.
The company's revision makes CVE-2024-2140 one of three zero-day bugs that Microsoft disclosed this month.
The other two are CVE-2024-21412, a security feature bypass flaw that a threat actor called Water Hydra is using in attacks against financial traders; and CVE-2024-21351, a SmartScreen bypass vulnerability.
According to Microsoft, CVE-2024-21410 allows an attacker to target an NTLM client such as Outlook in an NTLM credential-leaking attack.
The problem in the case of CVE-2024-21410 has to do with versions of Exchange Server 2019 prior to the Feb. 13 update not enabling NTLM relay protections - or Extended Protection for Authentication - by default.
Without that protection, an attacker can relay leaked NTLM credentials from targets such as Outlook to Exchange Server, Microsoft said.
Cumulative Update The Feb. 13 update - 2024 H1 Cumulative Update for Exchange Server 2019 - enables that protection by default, meaning users who implement it are protected against the threat from CVE-2024-21410.
Mayuresh Dani, manager of security research at Qualys threat research labs, says attackers are likely to have little trouble finding vulnerable Exchange Servers to target.
Mike Walters, president and CEO of Action1, says organizations using versions of Exchange Server 2019 prior to CU14 will need to ensure they have activated EPA alongside installing the latest cumulative update.
Pay Attention to the Details Before enabling EP on Exchange Servers administrators should assess their environment and review the issues that Microsoft has identified in its EP documentation to avoid disrupting existing functionality, Walters advises.
Another consideration is the fact that Extended Protection isn't supported in environments that use SSL offloading.
Under certain circumstances organizations cannot enable Extended Protection on Exchange Server 2013 servers, Exchange Server 2016 CU22, Exchange Server 2019 CU11 or older, and on Exchange servers that are published with the Hybrid Agent.
Attackers often use a so-called pass-the-hash method for lateral movement purposes.
The tactic involves stealing a user's NTLM hash from one computer and using it to access another computer, in this case an Exchange Server.
One of its main appeals is that the tactic allows users to authenticate as a legitimate user on a target system without knowing the user's password.
In 2023, Russia's Fancy Bear advanced persistent threat group took advantage of a similar flaw in a spate of information-stealing attacks that targeted governments in the Middle East and several NATO nations.
Microsoft has a resource dedicated to pass-the-hash attacks for organizations that want to learn more about the attack vector.
This Cyber News was published on www.darkreading.com. Publication date: Thu, 15 Feb 2024 21:35:08 +0000