**CRITICAL RISK** CVE-2024-21410 Microsoft Exchange Server Privilege Escalation Exploitation

Background & Context

Microsoft Exchange Server is a mail server and calendaring server developed by Microsoft. It runs exclusively on Windows Server operating systems. Exchange Server primarily uses a proprietary protocol called MAPI to talk to email clients, but subsequently added support for POP3, IMAP, and EAS. The standard SMTP protocol is used to communicate to other Internet mail servers.

In a Windows network, NT (New Technology) LAN Manager (NTLM) is a suite of Microsoft security protocols intended to provide authentication, integrity, and confidentiality to users. The NTLM protocol suite is implemented in a Security Support Provider, which combines the LAN Manager authentication protocol, NTLMv1, NTLMv2 and NTLM2 Session protocols in a single package. NTLM is a challenge–response authentication protocol which uses three messages to authenticate a client. The NTLM protocol uses one or both of two hashed password values(LM hash and NT hash), both of which are also stored on the server (or domain controller), and which through a lack of salting are password equivalent, meaning that if you grab the hash value from the server, you can authenticate without knowing the actual password. NTLM passwords are considered weak because they can be brute-forced very easily with modern hardware.


Vulnerability Summary

Prior to the Exchange Server 2019 Cumulative Update 14 (CU14) update, Exchange Server did not enable NTLM credentials Relay Protections (called Extended Protection for Authentication or EPA) by default. Without the protection enabled, an attacker can target Exchange Server to relay leaked NTLM credentials from other targets (for example Outlook).


Impact If Exploited

An attacker who successfully exploited this vulnerability could relay a user’s leaked Net-NTLMv2 (Windows NT Lan Manager) hashes to impersonate legitimate users on Exchange Server and authenticate as the user. Attackers often use a so-called “pass-the-hash” method for lateral movement purposes – allowing them to gain privileges as the victim client and then to perform operations on the Exchange server on the victim’s behalf in a lateral privilege escalation attack. The tactic involves stealing a user’s NTLM hash from one computer and using it to access another computer, in this case an Exchange Server.

NOTE: This vulnerability has been reported by the CISA (America’s Cyber Defense Agency) to be known to be currently actively exploited in the wild as of 2024-02-15. Security researchers have reported that Russia’s “Fancy Bear” advanced persistent threat group (aka “Forest Blizzard” and “APT28”) took advantage of similar flaws (including CVE-2023-23397) in a spate of information-stealing attacks that targeted governments in the Middle East and several NATO nations from April 2022 to November 2023. Prioritisation should be given to remediation in any impacted environment


Affected Product Versions

  • Microsoft Exchange Server 2019 prior to Cumulative Update 14 release15.2.1544.004
  • Microsoft Exchange Server 2019 prior to Cumulative Update 13 release 15.2.1544.004
  • Microsoft Exchange Server 2016 prior to Cumulative Update 23



Official Fix & Remediation Guidance

Exchange Server 2019:


Exchange Server 2016:

  • Microsoft introduced Extended Protection support as an optional feature for Exchange Server 2016 CU23 with the August 2022 security update (build 15.01.2507.012). We strongly recommend to download the latest security update for Exchange Server 2016 CU23 prior turning Extended Protection by the help of the https://aka.ms/ExchangeEPScript – ExchangeExtendedProtectionManagement.ps1 on.


NOTE: Remediation of this vulnerability by patching to a specific version indicated may not be sufficient to secure the product against further vulnerabilities discovered in later versions, subsequent to the publication of this guidance. Unless contra-indicated, customers are therefore advised to always upgrade to the latest version of the product available.


Temporary Mitigation & Workarounds:

Download https://www.microsoft.com/en-us/download/details.aspx?id=36036 Mitigating Pass the Hash (PtH) Attacks and Other Credential Theft, Version 1 and 2]]. This document discusses Pass-the-Hash (PtH) attacks against the Windows operating systems and provides holistic planning strategies that, when combined with the Windows security features, will provide a more effective defense against pass-the-hash attacks.

NOTE: Caution should always be taken in applying any temporary mitigations listed. Mitigations are only recommended in cases where patches to remediate the vulnerability are not available, or cannot safely be applied to a given environment immediately. A given mitigation may not in all cases be recommended officially by the application vendor. The viability of any given temporary mitigation measure may vary, depending on server platform and existing configuration. Mitigations listed may incompletely remediate any given vulnerability. Configuration changes to implement listed mitigations may impact/disrupt required functionality within a given customer application. Care should therefore be taken to carefully analyse any listed mitigations for appropriateness to a given environment. Customers are advised to test any configuration changes prior to their being introduced into a production environment.




Category: Privilege Escalation


About AppCheck

AppCheck is a software security vendor based in the UK, offering a leading security scanning platform that automates the discovery of security flaws within organisations websites, applications, network, and cloud infrastructure. AppCheck are authorized by the Common Vulnerabilities and Exposures (CVE) Program as a CVE Numbering Authority (CNA).

Get started with Appcheck

No software to download or install.

Contact us or call us 0113 887 8380

Start your free trial

Your details
IP Addresses

Get in touch

Please enable JavaScript in your browser to complete this form.