A recently discovered critical vulnerability in Microsoft Exchange Server (CVE-2024-21410) is being actively exploited by attackers. A privilege escalation vulnerability allows attackers to use leaked login credentials (like those from compromised Outlook clients) to gain unauthorized access and control over your server. This could lead to sensitive data breaches, malware deployment, and further attacks within your network.
Understanding CVE-2024-21410
With a severity score of 9.8 on the CVSS scale, the vulnerability targets NTLM clients such as Outlook by exploiting a credentials-leaking vulnerability. Attackers can leverage this flaw to obtain leaked credentials and perform unauthorized operations on the Exchange server.
Implications of Successful Exploitation
If successfully exploited, the vulnerability enables attackers to relay a user’s leaked Net-NTLMv2 hash against a vulnerable Exchange Server by granting them unauthorized access as the user. The exact nature of the exploitation and the identity of threat actors remain undisclosed. Although past incidents involving Russian state-affiliated hacking groups, notably APT28, raise concerns.
Associated Risks
This incident is not an isolated case, as it adds to a series of Windows flaws patched by Microsoft this week, including CVE-2024-21351 and CVE-2024-21412, both actively exploited in real-world attacks. Moreover, the implications extend beyond mere credential leakage. The flaw’s destructive capability potentially encompasses RCE and the bypassing of Office Protected View, heightening the severity of the situation.
Recommendations
Microsoft has enabled EPA by default for Exchange Server 2019 Cumulative Update 14 (CU14). Consider enabling EPA manually for additional protection if you’re using an older version.
Microsoft has released security patches to address these vulnerabilities, and it is urging all users to apply the patches as soon as possible.
Microsoft
SanerNow Vulnerability Management and SanerNow Patch Management detect and automatically fix these vulnerabilities by applying security updates. Use SanerNow and keep your systems updated and secure!