Microsoft announces critical zero-day Exchange bug

Enables remote control of Exchange Server

Microsoft has issued a warning about a serious security issue with Exchange Server.

It says hackers were exploiting a flaw in the system, known as CVE-2024-21410, before it was fixed in the latest round of updates.

Attackers could use the zero-day vulnerability to gain control over Exchange Server remotely, without needing to authenticate. They can then use this access to carry out NTLM relay attacks. These attacks trick other devices on the network into authenticating with their server, allowing them to pretend to be those devices and gain higher privileges.

Microsoft explains that attackers could exploit this flaw to leak credentials from an NTLM client like Outlook. These leaked credentials can then be used to gain even more control over Exchange server.

To fix the issue, Microsoft released an update as part of its February 2024 Patch Tuesday. This update, known as Cumulative Update 14 (CU14) for Exchange Server 2019, introduces protections against NTLM relay attacks. These protections, called Extended Protection for Authentication (EPA), are designed to prevent authentication relay and man-in-the-middle attacks.

EPA support for Exchange Server

Initially introduced in August 2022, Microsoft announced that EPA support for Exchange Server would be enabled by default on all servers after deploying CU14. Now, with the latest update, Microsoft has made good on its promise.

For those using older versions of Exchange Server, like Exchange Server 2016, administrators can activate EPA using the ExchangeExtendedProtectionManagement PowerShell script. However, they should carefully review Microsoft's documentation and consider any potential issues before enabling EPA to avoid disrupting system functionality.