CVE-2024-21410

Меры по смягчению последствий

The following mitigating factors might be helpful in your situation:

Consult the Exchange Extended Protection documentation and use the ExchangeExtendedProtectionManagement.ps1 script to turn on the Extended Protection for Authentication (EPA) for Exchange Servers.

FAQ

Where can I find more information about NTLM relay attacks?

Download Mitigating Pass the Hash (PtH) Attacks and Other Credential Theft, Version 1 and 2. This document discusses Pass-the-Hash (PtH) attacks against the Windows operating systems and provides holistic planning strategies that, when combined with the Windows security features, will provide a more effective defense against pass-the-hash attacks.

How could an attacker exploit this vulnerability?

An attacker could target an NTLM client such as Outlook with an NTLM credentials-leaking type vulnerability. The leaked credentials can then be relayed against the Exchange server to gain privileges as the victim client and to perform operations on the Exchange server on the victim's behalf. For more information about Exchange Server's support for Extended Protection for Authentication(EPA), please see Configure Windows Extended Protection in Exchange Server.

According to the CVSS metrics, successful exploitation of this vulnerability could lead to major loss of confidentiality (C:H), integrity (I:H) and availability (A:H). What does that mean for this vulnerability?

An attacker who successfully exploited this vulnerability could relay a user's leaked Net-NTLMv2 hash against a vulnerable Exchange Server and authenticate as the user.

Why is this CVE listed as being exploited?

This CVE for Exchange Server 2019 Cumulative Update 14 enforces previous mitigations by default. We provided an optional mitigation for NTLM relay attacks in general in August 2022. These were documented in an Outlook CVE (CVE-2023-23397). Microsoft was aware of targeted NTLM relay attacks back in 2023; however, we are not aware of any current exploitation of NTLM relay attacks against Exchange Server.

Microsoft strongly recommends installing CU14 on Exchange Server 2019 or enabling Extended Protection within your organization as per Configure Windows Extended Protection in Exchange Server.

How do I protect myself from this vulnerability?

Prior to the Exchange Server 2019 Cumulative Update 14 (CU14) update, Exchange Server did not enable NTLM credentials Relay Protections (called Extended Protection for Authentication or EPA) by default. Without the protection enabled, an attacker can target Exchange Server to relay leaked NTLM credentials from other targets (for example Outlook). Exchange Server 2019 CU14 enables EPA by default on Exchange servers. For more information regarding this update, please refer to the latest Exchange Blog Post.

I'm running Microsoft Exchange Server 2016 Cumulative Update 23. How do I protect myself from this vulnerability?

Microsoft introduced Extended Protection support as an optional feature for Exchange Server 2016 CU23 with the August 2022 security update (build 15.01.2507.012). We strongly recommend to download the latest security update for Exchange Server 2016 CU23 prior turning Extended Protection by the help of the ExchangeExtendedProtectionManagement.ps1 on.

If I already ran the script that enables NTLM credentials Relay Protections am I protected from this vulnerability?

Yes. If, for example, you are running Exchange Server 2019 CU13 or earlier and you have previously run the script then you are protected from this vulnerability, however, Microsoft strongly suggests installing the latest cumulative update.

How can I determine if Extended Protection is configured as expected and if my Exchange Server is protected against this vulnerability?

Run the latest version of the Exchange Server Health Checker script. The script will provide you with an overview of the Extended Protection status of your server.