Teacher
Professional
- Messages
- 2,670
- Reaction score
- 775
- Points
- 113
The company acknowledged that Exchange Server was attacked before the patch was released.
In a fresh security update, Microsoft warned of a critical vulnerability in Exchange Server that was exploited as 0day before being patched on Patch Tuesday in February.
CVE-2024-21410 (CVSS score: 9.8) allows a remote unauthorized attacker to increase their privileges in NTLM Relay attacks on vulnerable versions of Microsoft Exchange Server. In such attacks, the attacker forces a network device (including servers or domain controllers) to authenticate to the NTLM Relay server under its control in order to impersonate the target devices and increase privileges.
As Microsoft explains, a hacker can target the NTLM client, Outlook, exploiting a vulnerability that leads to a leak of NTLM credentials. The exposed credentials can then be redirected to the Exchange server to gain privileges as a victim client and perform operations on the Exchange server on behalf of the victim.
To protect against such attacks, Microsoft introduced the Extended Protection for Authentication (EPA) mechanism, which became available with Cumulative Update 14 (CU14) for Exchange Server 2019. The EPA option is designed to strengthen Windows Server authentication functionality by mitigating NTLM Relay attacks and MitM attacks (Man-in-the-Middle). Microsoft also announced that EPA will be automatically activated by default on all Exchange servers after installing the CU14 update.
Administrators can use the PowerShell ExchangeExtendedProtectionManagement script to activate EPA on previous versions of Exchange Server to protect against attacks using CVE-2024-21410.
In a fresh security update, Microsoft warned of a critical vulnerability in Exchange Server that was exploited as 0day before being patched on Patch Tuesday in February.
CVE-2024-21410 (CVSS score: 9.8) allows a remote unauthorized attacker to increase their privileges in NTLM Relay attacks on vulnerable versions of Microsoft Exchange Server. In such attacks, the attacker forces a network device (including servers or domain controllers) to authenticate to the NTLM Relay server under its control in order to impersonate the target devices and increase privileges.
As Microsoft explains, a hacker can target the NTLM client, Outlook, exploiting a vulnerability that leads to a leak of NTLM credentials. The exposed credentials can then be redirected to the Exchange server to gain privileges as a victim client and perform operations on the Exchange server on behalf of the victim.
To protect against such attacks, Microsoft introduced the Extended Protection for Authentication (EPA) mechanism, which became available with Cumulative Update 14 (CU14) for Exchange Server 2019. The EPA option is designed to strengthen Windows Server authentication functionality by mitigating NTLM Relay attacks and MitM attacks (Man-in-the-Middle). Microsoft also announced that EPA will be automatically activated by default on all Exchange servers after installing the CU14 update.
Administrators can use the PowerShell ExchangeExtendedProtectionManagement script to activate EPA on previous versions of Exchange Server to protect against attacks using CVE-2024-21410.
