Microsoft warned nowadays in an up to date safety advisory {that a} crucial vulnerability in Alternate Server was once exploited as a zero-day prior to being mounted right through this month’s Patch Tuesday.
Came upon internally and tracked as CVE-2024-21410, this safety flaw can let far flung unauthenticated danger actors escalate privileges in NTLM relay assaults concentrated on susceptible Microsoft Alternate Server variations.
In such assaults, the danger actor forces a community instrument (together with servers or area controllers) to authenticate towards an NTLM relay server beneath their keep watch over to impersonate the centered gadgets and carry privileges.
“An attacker may just goal an NTLM consumer similar to Outlook with an NTLM credentials-leaking kind vulnerability,” Microsoft explains.
“The leaked credentials can then be relayed towards the Alternate server to realize privileges because the sufferer consumer and to accomplish operations at the Alternate server at the sufferer’s behalf.
“An attacker who effectively exploited this vulnerability may just relay a consumer’s leaked Internet-NTLMv2 hash towards a susceptible Alternate Server and authenticate because the consumer.”
Mitigation by the use of Alternate Prolonged Coverage
The Alternate Server 2019 Cumulative Replace 14 (CU14) replace addresses this vulnerability via enabling NTLM credentials Relay Protections (sometimes called Prolonged Coverage for Authentication or EPA).
EP is designed to toughen Home windows Server auth capability via mitigating authentication relay and man-in-the-middle (MitM) assaults.
Microsoft introduced nowadays that Prolonged Coverage (EP) shall be mechanically enabled via default on all Alternate servers after putting in this month’s 2024 H1 Cumulative Replace (aka CU14).
Admins can use the ExchangeExtendedProtectionManagement PowerShell script to turn on EP on earlier variations of Alternate Server, similar to Alternate Server 2016. This may increasingly additionally offer protection to their methods towards assaults concentrated on gadgets unpatched towards CVE-2024-21410.
Alternatively, prior to toggling EP on their Alternate servers, directors will have to assessment their environments and assessment the problems discussed in Microsoft’s documentation for the EP toggle script to keep away from breaking capability.
Admins are urged to judge their environments and assessment the problems discussed within the documentation of the Microsoft-provided ExchangeExtendedProtectionManagement PowerShell script prior to toggling EP on their Alternate servers to keep away from some capability from breaking.
These days, Microsoft additionally mistakenly tagged a crucial Outlook far flung code execution (RCE) vulnerability (CVE-2024-21413) as exploited in assaults prior to being mounted right through this month’s Patch Tuesday.
