CVE-2024-21410 is a critical vulnerability in Microsoft Exchange Server, presenting an elevation of privilege. It has a CVSS score of 9.8. This vulnerability enables attackers to execute authentication relay attacks by misusing the Net-NTLMv2 protocol.

• Vendor: Microsoft
• Product: Microsoft Exchange Server
• Vulnerability Type: Elevation of Privilege
• Base CVSS Score: 9.8 (Critical)

Follow this link for a full list of Microsoft Exchange Server Security Vulnerabilities and CVE

Vulnerability Overview

Microsoft issued a security advisory for CVE-2024-21410 on February 13, 2024, within their February 2024 Patch Tuesday security updates. This affects Microsoft Exchange Server and is a critical security flaw with a CVSS score of 9.8.

How Attackers Leverage CVE-2024-21410

The attack involves an attacker deceiving an NTLM client (such as Microsoft Outlook) into connecting to an attacker-controlled server. This permits the attacker to capture the victim’s user’s leaked Net-NTLMv2 hash. Because of the weakness in Exchange Server (prior to patching and EPA enforcement), the attacker can then relay this captured hash to a vulnerable Exchange server.

This is effectively a type of pass-the-hash attacks, but more precisely an NTLM relay attack. The attacker doesn’t need to crack the password hash; they simply forward (relay) the authentication challenge-response to the Exchange server. This then authenticates them as the victim user. Once authenticated, the attacker gains the privileges of that user on the Exchange server.

What makes this vulnerability dangerous is its low barrier to entry. Any attacker who can successfully leak and capture Net-NTLMv2 credentials from a user whose NTLM client can connect to the Exchange server can take advantage of this vulnerability, often without needing prior user privileges on the target network or direct user interaction beyond the initial credential leak.

Its severity and active exploitation led to its addition to CISA’s Known Exploited Vulnerabilities (KEV) catalog on February 15, 2024. This mandated immediate remediation for federal agencies and signaled a clear danger to all organizations using affected Exchange versions.

Affected Microsoft Exchange Server Versions

The following Microsoft Exchange Server versions are vulnerable to CVE-2024-21410:

• Microsoft Exchange Server 2016 Cumulative Update 23 (and prior CUs if EPA is not enabled)
• Microsoft Exchange Server 2019 Cumulative Update 13 (and prior CUs if EPA is not enabled)
• Microsoft Exchange Server 2019 Cumulative Update 14 (if EPA is manually disabled, as it’s enabled by default in CU14)

Exploit Status, Attribution, and Further Actions

Exploit Status: CVE-2024-21410 continues to be actively exploited in the wild. Shadowserver foundation reports indicate that thousands, potentially up to 97,000 internet-facing Microsoft Exchange servers, remain vulnerable.

Threat Actor Activity: While no formal attribution has been assigned to all attacks, security researchers have noted similarities to techniques used by Russian-backed threat actor APT28 (Fancy Bear). This group is known for exploiting NTLM vulnerabilities and using subsequent access token manipulation and impersonation/theft techniques to target email servers.

Nation-state affiliated groups like APT28 and Hafnium have a history of exploiting flaws in Microsoft Outlook and Exchange to stage NTLM relay attacks, making this vulnerability highly attractive to sophisticated threat actors.

Technical Impact of Successful Exploitation

Successful exploitation of CVE-2024-21410 has severe consequences:

• Authentication Bypass: The vulnerability allows attackers to authenticate as legitimate users without knowing their passwords.
• Privilege Escalation: As a result of the authentication bypass, attackers gain unauthorized access with the privileges of the compromised user account on the Exchange server.
• Unauthorized Operations: Once authenticated, attackers can perform operations on the Exchange server on behalf of the victim, such as accessing mailboxes or modifying server configurations.
• Data Compromise: This access can lead to the compromise of sensitive data managed by Exchange, affecting its confidentiality, integrity, and availability.

The vulnerability is concerning because it doesn’t require the captured Net-NTLMv2 hash to be cracked – it can be replayed directly, making it a low-effort, high-impact attack vector.

Chained Exploits and Post-Exploitation Activities

With initial access gained through CVE-2024-21410, attackers often pursue further objectives:

1. Further Privilege Escalation: If the initially compromised account is not highly privileged, attackers may seek additional vulnerabilities on the server or within the domain to elevate their access further.
2. Lateral Movement: Using the compromised credentials, attackers attempt to move across the network, accessing other systems and data using the compromised user’s permissions.
3. Establishing Persistence: To maintain long-term access even if the initial vulnerability is patched, attackers deploy persistence mechanisms such as scheduled tasks, new administrative accounts, or web shells (e.g., China Chopper, often seen after Exchange compromises like Hafnium attacks). This creates a persistent threat.
4. Data Exfiltration: A primary goal is often the theft of sensitive information from email communications, contact lists, and calendars.
5. Further NTLM Relaying: Once inside the network, attackers might use tools like ntlmrelayx (part of Impacket) to relay NTLM authentication to other systems, potentially compromising domain controllers if network-wide protections like SMB signing and Windows Extended Protection are not enforced.

 CVE-2024-21410 serves as an entry point, often combined with other vulnerabilities or misconfigurations to achieve deeper compromise, potentially leading to remote code execution (RCE) on other systems.

Mitigation and Remediation Strategies

Microsoft has provided clear guidance. Here are the key actionable steps:

1. Apply Security Updates Immediately: This is the most critical step. Install Microsoft’s February 2024 security updates (or later cumulative updates) to patch CVE-2024-21410 on all affected Exchange Server installations.
2. Enable Extended Protection for Authentication (EPA): Microsoft enabled EPA by default in Exchange Server 2019 Cumulative Update 14 (CU14) as a mitigation. For older supported CUs (2019 CU13, 2016 CU23), EPA needs to be enabled manually after patching if not already on. Verify EPA is enabled on all Exchange servers. EPA helps prevent potential exploitation by binding the authentication to the TLS channel.
3. Implement Network Segmentation: Restrict access to Exchange servers, particularly from the internet. Implement proper network segmentation to limit lateral movement in case of compromise. Make sure Exchange servers cannot initiate outbound connections to arbitrary internet locations if possible.
4. Monitor for Suspicious Activity: Implement enhanced monitoring for unusual authentication attempts against Exchange servers, suspicious PowerShell commands, signs of NTLM relay activity, and other indicators of compromise related to Exchange exploitation.
5. Implement Multi-Factor Authentication (MFA): Where possible, implement MFA for Exchange access (OWA, ECP). While this vulnerability bypasses direct password authentication, MFA on user accounts can limit the utility of a compromised account for accessing other MFA-protected services. For admin access to Exchange, MFA is important.
6. Upgrade Legacy Systems: If running older, unsupported versions of Exchange, prioritize migration to supported versions that receive security updates and have modern security measures like EPA enabled by default.
7. Restrict NTLM: Where feasible, work towards disabling NTLM authentication in your environment in favor of Kerberos. If NTLM cannot be disabled, make sure protections like EPA, SMB Signing, and tiering of accounts are strictly enforced.

Building Long-Term Resilience Beyond CVE-2024-21410

While patching this specific CVE is urgent, consider these broader security practices:

• Assume Breach Mentality: Operate with the mindset that attackers may already be present or will attempt to breach.
• Defense-in-Depth: Layer multiple security controls (network, endpoint, application, data).
• Regular Audits & Vulnerability Management: Continuously scan for and remediate vulnerabilities.
• Incident Response Plan: Have a well-tested plan to respond to security incidents.
• User Education: Train users to identify and report phishing attempts or suspicious activity that could lead to credential leakage.

Conclusion

CVE-2024-21410 represents a threat to organizations relying on Microsoft Exchange Server. Its low barrier to entry and impact, coupled with active exploitation by sophisticated threat actors, demand attention. Prioritize patching, enable Extended Protection, and review your overall security posture to defend against this and future threats. This can also help in the case of a NTLM credentials-leaking type vulnerability.

References

• Microsoft Security Update Guide for CVE-2024-21410
• CISA Known Exploited Vulnerabilities Catalog (February 15, 2024)
• Belgian Centre for Cybersecurity (CCB) Advisory (February 15, 2024)
• Shadowserver Foundation: Exchange Server Vulnerability Report

Strengthen Your Server Security with Messageware

Data breaches have increased by 72%, servers are compromised in under 90 minutes. Ensure you have multiple layers of security software protecting your Windows Servers.

Messageware offers powerful security solutions, including:

Z-Day Guard for All Windows Servers: Next-gen server protection, providing detection, alerting, and response (MDR) to zero-day and server penetration cyber-attacks. Leverages embedded monitoring technology that cannot be turned off by malicious software. No need to research complicated deployments and no learning curve to install and manage.

EPG Guard for Exchange Servers: Real-time security stops AD account lockouts, eliminates brute force password attacks, provides intelligent GEO blocking, and prevents Exchange Server vulnerability probing. Enhance security through real-time collection and analysis of logon information, with advanced reporting, threat detection, and security controls.

Don’t leave your critical infrastructure vulnerable, be proactive and stay ahead of evolving threats.