Latest Microsoft Exchange Server vulnerability #
As part of its updates released on February 13, 2024, Microsoft has disclosed a vulnerability in Microsoft Exchange that would allow attackers to authenticate to Microsoft Exchange servers using a captured NTLM hash (a so-called “pass-the-hash” vulnerability). This would allow an attacker to authenticate to an Exchange server as any user for whom the attacker passed a valid NTLM hash.
NTLM authentication is an authentication mechanism used by Microsoft Windows and related products that uses a challenge-response protocol to avoid transmitting user passwords directly across the network. A “pass-the-hash” vulnerability is a form of credential reuse vulnerability, where an attacker who posesses a hashed form of a victim’s password can use that hash directly for authentication. Microsoft’s Mitigating Pass-the-Hash (PtH) Attacks and Other Credential Theft discusses this sort of vulnerability in detail.
This vulnerability, tracked as CVE-2024-21410, has a CVSS score of 9.1, indicating a critical vulnerability. Note that Microsoft has indicated that there is limited evidence that this vulnerability has been exploited in the wild.
What is the impact? #
Upon successful exploitation of this vulnerability, an attacker would be able use a compromised NTLM hash to log into an Exchange server as a different user, with all of the privileges of that user.
Are updates or workarounds available? #
Enabling Extended Protection will mitigate this vulnerability.
Additionally, Microsoft has released a mitigtation as part of the 2024 H1 cumulative update for Exchange Server.
How do I find Exchange servers with runZero? #
From the Services Inventory, use the following query to locate potentially vulnerable assets your network that may need remediation or mitigation:
product:"Exchange Server"
You can also check out our Queries Library for other useful inventory queries.
September 2022 vulnerabilities #
On September 30, 2022, GTSC, a Vietnamese security firm, discovered two zero-day vulnerabilities that affected Microsoft Exchange Servers 2013, 2016, and 2019. These two vulnerabilities were tracked as CVE-2022-41040 and CVE-2022-41082. According to Microsoft, they were aware of "limited targeted attacks using the two vulnerabilities to get into users' systems." In order for attackers to successfully exploit the vulnerabilities, they must have authenticated access to the vulnerable Microsoft Exchange Server.
What was the impact? #
The first vulnerability, CVE-2022-41040, was a Server-Side Request Forgery (SSRF) vulnerability. The second vulnerability, CVE-2022-41082, allowed remote code execution (RCE) when the attacker had access to PowerShell. According to GTSC, it appeared that attackers could exploit the vulnerabilities to place webshells on exploited systems and set the stage for post-exploitation activities.
On November 8, 2022, Microsoft released security updates for CVE-2022-41040 and CVE-2022-41082. According to their guidance at the time, Microsoft Exchange Online Customers did not need to take any action. However, on-premises Microsoft Exchange customers were advised to take action by reviewing and applying Microsoft's mitigation steps on URL Rewrite Instructions and block exposed Remote PowerShell ports.
