Critical vulnerability in Microsoft Exchange Server

20.2.2024

Critical vulnerability in Microsoft Exchange Server

Microsoft’s latest update shows that, by exploiting a vulnerability (CVE-2024-21410), attackers are able to carry out a so-called NTLM relay attack, also known as “Pass the Hash”. NTLM is a set of security protocols that authenticate the identity of users and the confidentiality of their activities.

Threat actors target programs like Outlook that have a vulnerability to spy on NTLM credentials. The program is tricked into authenticating itself to a fake server that they control. Once the credentials are exposed, they can be used for malicious purposes.

What is NTLM exactly?

NTLM stands for New Technology LAN Manager. This is a set of security protocols that authenticate the identity of users and the confidentiality of their activities (CrowdStrike). By using this authentication method, single sign-on on web servers or proxy servers is possible using the credentials of the Windows user login (Wikipedia).

What should you do?

Patch immediately: Install the 2024 H1 Cumulative Update (CU14) for Exchange Server 2019 to close CVE-2024-21410 and other vulnerabilities.
Enable Extended-Protection-for-Authentication: Allow CU14 setup to enable EP on your Exchange 2019 servers. Ensure readiness by reviewing the prerequisites described in the Exchange Server Health Checker script and documentation.
In addition, check whether all clients in your network have the latest update status of the Office products used and update them as well.
Stay up to date: Keep an eye out for further updates and advisories from Microsoft about this vulnerability and related threats.

The security of your organization’s Exchange server environment is paramount. Act quickly to protect against potential threats and ensure uninterrupted operations.

We will be happy to answer any questions you may have.