In a recent update to the Microsoft security system, a critical vulnerability in Exchange Server was addressed and fixed on February 1. The vulnerability, known as CVE-2024-21410, has a CVSS score of 9.8 and allows a remote attacker to escalate their privileges through NTLM RELAY attacks on vulnerable versions of Microsoft Exchange Server.
In an NTLM RELAY attack, the attacker manipulates a network device, such as a domain server or controller, to authenticate with an NTLM RELAY server under their control. This allows them to impersonate target devices and gain elevated privileges. The vulnerability had the potential to compromise the security and integrity of Exchange Server.
Microsoft has explained that a hacker could target an NTLM client, specifically Outlook, using this vulnerability, which could result in the leakage of NTLM credentials. The exposed credentials could then be redirected to the Exchange server, allowing the attacker to gain privileges as a client and perform actions on behalf of the victim.
To mitigate the risk posed by this vulnerability, Microsoft introduced a new security mechanism called Extended Protection for Authentication (EPA), which strengthens the APA (Application Protocol Agreement). EPA defends against NTLM RELAY and MITM (Man-In-The-Middle) attacks. To make EPA more accessible, Microsoft has announced that it will be automatically activated by default on all Exchange servers after installing the Cumulative Update 14 (CU14) for Exchange Server 2019.
Administrators who have earlier versions of Exchange Server can still activate EPA for protection against attacks using CVE-2024-21410. They can use the PowerShell command EXCHANGEEXTENDENDENECTENAGEMANGEMENAGEMENT to enable EPA on their servers.