Menu
Microsoft Exchange Server is a mail server and calendaring server developed by Microsoft. It runs exclusively on Windows Server operating systems. Exchange Server primarily uses a proprietary protocol called MAPI to talk to email clients, but subsequently added support for POP3, IMAP, and EAS. The standard SMTP protocol is used to communicate to other Internet mail servers.
In a Windows network, NT (New Technology) LAN Manager (NTLM) is a suite of Microsoft security protocols intended to provide authentication, integrity, and confidentiality to users. The NTLM protocol suite is implemented in a Security Support Provider, which combines the LAN Manager authentication protocol, NTLMv1, NTLMv2 and NTLM2 Session protocols in a single package. NTLM is a challenge–response authentication protocol which uses three messages to authenticate a client. The NTLM protocol uses one or both of two hashed password values(LM hash and NT hash), both of which are also stored on the server (or domain controller), and which through a lack of salting are password equivalent, meaning that if you grab the hash value from the server, you can authenticate without knowing the actual password. NTLM passwords are considered weak because they can be brute-forced very easily with modern hardware.
Prior to the Exchange Server 2019 Cumulative Update 14 (CU14) update, Exchange Server did not enable NTLM credentials Relay Protections (called Extended Protection for Authentication or EPA) by default. Without the protection enabled, an attacker can target Exchange Server to relay leaked NTLM credentials from other targets (for example Outlook).
An attacker who successfully exploited this vulnerability could relay a user’s leaked Net-NTLMv2 (Windows NT Lan Manager) hashes to impersonate legitimate users on Exchange Server and authenticate as the user. Attackers often use a so-called “pass-the-hash” method for lateral movement purposes – allowing them to gain privileges as the victim client and then to perform operations on the Exchange server on the victim’s behalf in a lateral privilege escalation attack. The tactic involves stealing a user’s NTLM hash from one computer and using it to access another computer, in this case an Exchange Server.
NOTE: This vulnerability has been reported by the CISA (America’s Cyber Defense Agency) to be known to be currently actively exploited in the wild as of 2024-02-15. Security researchers have reported that Russia’s “Fancy Bear” advanced persistent threat group (aka “Forest Blizzard” and “APT28”) took advantage of similar flaws (including CVE-2023-23397) in a spate of information-stealing attacks that targeted governments in the Middle East and several NATO nations from April 2022 to November 2023. Prioritisation should be given to remediation in any impacted environment
Exchange Server 2019:
Exchange Server 2016:
NOTE: Remediation of this vulnerability by patching to a specific version indicated may not be sufficient to secure the product against further vulnerabilities discovered in later versions, subsequent to the publication of this guidance. Unless contra-indicated, customers are therefore advised to always upgrade to the latest version of the product available.
Download https://www.microsoft.com/en-us/download/details.aspx?id=36036 Mitigating Pass the Hash (PtH) Attacks and Other Credential Theft, Version 1 and 2]]. This document discusses Pass-the-Hash (PtH) attacks against the Windows operating systems and provides holistic planning strategies that, when combined with the Windows security features, will provide a more effective defense against pass-the-hash attacks.
NOTE: Caution should always be taken in applying any temporary mitigations listed. Mitigations are only recommended in cases where patches to remediate the vulnerability are not available, or cannot safely be applied to a given environment immediately. A given mitigation may not in all cases be recommended officially by the application vendor. The viability of any given temporary mitigation measure may vary, depending on server platform and existing configuration. Mitigations listed may incompletely remediate any given vulnerability. Configuration changes to implement listed mitigations may impact/disrupt required functionality within a given customer application. Care should therefore be taken to carefully analyse any listed mitigations for appropriateness to a given environment. Customers are advised to test any configuration changes prior to their being introduced into a production environment.
References:
Category: Privilege Escalation
AppCheck is a software security vendor based in the UK, offering a leading security scanning platform that automates the discovery of security flaws within organisations websites, applications, network, and cloud infrastructure. AppCheck are authorized by the Common Vulnerabilities and Exposures (CVE) Program as a CVE Numbering Authority (CNA).
No software to download or install.
Contact us or call us 0113 887 8380
AppCheck is a software security vendor based in the UK, offering a leading security scanning platform that automates the discovery of security flaws within organisations websites, applications, network and cloud infrastructure. AppCheck are authorized by te Common Vulnerabilities and Exposures (CVE) Program aas a CVE Numbering Authority (CNA)
