Microsoft Exchange Server Flaw Exploited as a Zero-Day Bug

Microsoft has identified one of the critical vulnerabilities in Exchange Server that the company disclosed in February's Patch Tuesday update as actually being a zero-day threat that attackers are already actively exploiting.

CVE-2024-21410 is an elevation of privilege vulnerability that gives a remote, unauthenticated attacker a way to disclose and then relay Windows NT Lan Manager (NTLM) hashes to impersonate legitimate users on Exchange Server.

Bug Enabled Pass-the-Hash Attacks

Microsoft had assessed the bug as being of critical severity (9.1 on the 10-point CVSS scale) but initially did not flag it as a zero-day when releasing a fix for it Tuesday. The company revised its advisory for the flaw on Wednesday with a note about observing exploit activity in the wild but providing no other details.

The company's revision makes CVE-2024-2140 one of three zero-day bugs that Microsoft disclosed this month. The other two are CVE-2024-21412, a security feature bypass flaw that a threat actor called Water Hydra (aka Dark Casino) is using in attacks against financial traders; and CVE-2024-21351, a SmartScreen bypass vulnerability.

According to Microsoft, CVE-2024-21410 allows an attacker to target an NTLM client such as Outlook in an NTLM credential-leaking attack. "The leaked credentials can then be relayed against the Exchange server to gain privileges as the victim client and to perform operations on the Exchange server on the victim's behalf," Microsoft said.

The problem in the case of CVE-2024-21410 has to do with versions of Exchange Server 2019 prior to the Feb. 13 update not enabling NTLM relay protections — or Extended Protection for Authentication (EPA) — by default. Without that protection, an attacker can relay leaked NTLM credentials from targets such as Outlook to Exchange Server, Microsoft said.

Cumulative Update

The Feb. 13 update — 2024 H1 Cumulative Update (CU) for Exchange Server 2019 (or CU14) — enables that protection by default, meaning users who implement it are protected against the threat from CVE-2024-21410. Microsoft has published an Exchange Blog Post for more information on the update and its protections against various threats.

Mayuresh Dani, manager of security research at Qualys threat research labs, says attackers are likely to have little trouble finding vulnerable Exchange Servers to target. "By my last count, there were more than 200,000 Microsoft Exchange devices currently exposed to the public," Dani says. "Sifting through these using automation would take a few hours to come up with a list of affected systems."

Mike Walters, president and CEO of Action1, says organizations using versions of Exchange Server 2019 prior to CU14 will need to ensure they have activated EPA alongside installing the latest cumulative update. He says, "Administrators can also use the ExchangeExtendedProtectionManagement PowerShell script to enable EP in earlier versions of Exchange Server, such as Server 2016, which will also protect systems from attacks that target devices that are missing the CVE-2024-21410 patches."

Pay Attention to the Details

Before enabling EP on Exchange Servers, however, administrators should assess their environment and review the issues that Microsoft has identified in its EP documentation to avoid disrupting existing functionality, Walters advises.

"Administrators should be aware that EP only uses NTLMv2 and TLS 1.2 and later," he says. Another consideration is the fact that Extended Protection isn't supported in environments that use SSL offloading. Similarly, under certain circumstances organizations cannot enable Extended Protection on Exchange Server 2013 servers, Exchange Server 2016 CU22, Exchange Server 2019 CU11 or older, and on Exchange servers that are published with the Hybrid Agent.

"Additional issues are described on the Microsoft support website and you must be prepared for them," Walters says. "This update needs to be fully tested before implementation." Organizations shouldn't even try to apply the update without proper testing, he adds.

Attackers often use a so-called pass-the-hash method for lateral movement purposes. The tactic involves stealing a user's NTLM hash from one computer and using it to access another computer, in this case an Exchange Server. One of its main appeals is that the tactic allows users to authenticate as a legitimate user on a target system without knowing the user's password.

In 2023, Russia's Fancy Bear advanced persistent threat group (aka Forest Blizzard and APT28) took advantage of a similar flaw (tracked as CVE-2023-23397) in a spate of information-stealing attacks that targeted governments in the Middle East and several NATO nations. Microsoft has a resource dedicated to pass-the-hash attacks for organizations that want to learn more about the attack vector.