Microsoft Patches 73 Vulnerabilities Including Actively Exploited Critical Flaw in Exchange Server
In February 2024, Microsoft issued a security alert for a total of 73 security vulnerabilities. The batch included 6 critical severity vulnerabilities, 52 rated as high severity, and 15 as medium severity vulnerabilities. 30 of them are remote code execution vulnerabilities [T1210] and 16 are privilege escalation [TA0004] exploits. From that group, three stand out as being actively exploited; CVE-2024-21410 (CVSS 9.8 Critical), CVE-2024-21412 (CVSS 8.1 High), and CVE-2024-21351 (CVSS 7.6 High).
15 of the 73 CVEs affected Microsoft WDAC OLE DB provider for SQL, 8 were reported in Microsoft Dynamics, a business productivity cloud service that integrates with Microsoft 365, and the Windows kernel had 6 CVEs reported and patched. The full list of vulnerabilities can be found on the official Microsoft advisory report for February 2024.
CVE-2024-21410 in Microsoft Exchange Actively Exploited
The CVE-2024-21410 (CVSS 9.8 Critical) security flaw is an authentication replay attack [CWE-294] on Microsoft Exchange Servers that use the Net-NTLMv2 protocol. The vulnerability allows attackers with the ability to capture a victim’s Net-NTLMv2 credentials to escalate privileges on the system for unauthenticated access. Since CVE-2024-21410 is a pass-the-hash [CWE-836] vulnerability it is considered low complexity to exploit by any attacker with stolen credentials. As such, CVE-2024-21410 represents a high risk to the confidentiality and integrity of an organization’s internal email communication and other data contained in an Exchange Server instance such as contact lists, shared resources or schedules.
CVE-2024-21410 is reported as actively exploited by CISA’s known exploited vulnerabilities (KEV) database. Although no formal attribution has been assigned to the recent attacks, some insider noted that Russian-backed threat actor APT28 is active in exploiting NTLM and is known for attack techniques including Access Token Manipulation [T1134] and Token Impersonation/Theft [T1134.001] for unauthorized access against email servers.
28,500 Microsoft Exchange servers have been identified as vulnerable, while a report from security research firm Shadowserver aggressively estimates that up to 97,000 IPs are potentially affected. Greenbone provides both a local security check (LSC) and remote version checks for identifying Microsoft Exchange servers impacted by CVE-2024-21410.
Here is a description of CVE-2024-21410 and how it is being exploited:
- CVE-2024-21410 (CVSS 9.8 Critical): An attacker could target an Net-NTLMv2 client such as Outlook from within a compromised endpoint with a credential-leak exploit, via a compromised network position using a tool such as Responder, or via an Adversary in The Middle (AiTM) position by capturing unencrypted network traffic. The leaked credentials can then be relayed against the Exchange server to gain privileges as the victim and to perform operations on the Exchange server on the victim’s behalf. Notably, CVE-2024-21410 does not require the captured Net-NTLMv2 hash to be cracked since it can be replayed directly for exploitation.
What Is NTLM Authentication Protocol?
NTLM (NT LAN Manager) authentication protocol is a proprietary protocol developed by Microsoft dating back to the Windows NT operating system, which was released in 1993. NTLM was replaced as the default authentication protocol in Windows 2000 by Kerberos. The Net-NTLMv1 and Net-NTLMv2 protocols employ the user’s base password, stored as a hash (called the NTHash) in a challenge response authentication handshake to verify an authorized user. A detailed description of the algorithms used in Net-NTLMv1 and Net-NTLMv2 can be found on the medium platform.
Net-NTLMv2 (NT LAN Manager version 2) is an improvement over the older NTLM protocol, offering better security features against certain types of attack. Net-NTLMv2 is still supported by various Microsoft products and services within Windows-based networks. However, due to the potential for simple replay attacks using stolen credentials [CWE-294], NTLM has already been directly issued a CVE (CVE-2021-31958) itself and its use presents serious security risk to unauthorized access. Also, considering that Microsoft officially acknowledged the security risks of NTLM in 2021, it should broadly be considered as a vulnerable protocol and it should be replaced with a more secure public-key based authentication wherever it is in use.
Some of the key products that still support the use of Net-NTLMv2: include all Windows operating systems, Active Directory (AD), Microsoft Exchange Server, Microsoft SQL Server, Internet Information Services (IIS), SMB Protocol, Remote Desktop Services, and other third-party applications.
Mitigating CVE-2024-21410
The 2024 H1 Cumulative Update 14 (CU14) for Exchange Server 2019 has been released by Microsoft allowing operators of the affected versions to patch their vulnerable product. The CU14 update enables Extended Protection for Authentication (EPA) by default which had otherwise required manual setup.
If installing CU14 is not feasible or for administrators of Exchange Server 2016, the Exchange Extended Protection documentation and ExchangeExtendedProtectionManagement.ps1 script can be used to enable EPA for Exchange Servers. Microsoft also points to its own workaround techniques for mitigating pass-the-hash attacks in reference to mitigating the risk of CVE-2024-21410.
Pivoting From CVE-2024-21410 to CVE-2024-21378
It’s also probable that attackers who can gain unauthorized access to a vulnerable Microsoft Exchange server could continue their exploit chain by leveraging another vulnerability disclosed in the February 2024 group; CVE-2024-21378 (CVSS 8.0 High) to cause high impact to endpoints running Microsoft Outlook 2016 client or Microsoft Office 365 (2016 Click-to-Run). CVE-2024-21378 is a remote code execution vulnerability that requires user interaction. Also, a prerequisite for exploiting CVE-2024-21378 is authenticated access to a Microsoft Exchange server or other Microsoft LAN service allowing an attacker to compromise users on the same domain controller via delivery of a malicious file. Furthermore, CVE-2024-21378 can be exploited simply by previewing the malicious file.
Greenbone can identify systems affected by CVE-2024-21378 with local security checks for Microsoft Outlook 2016 and Microsoft Office 365 (2016 Click-to-Run).
CVE-2024-21351 Windows SmartScreen Security Bypass
CVE-2024-21351 (CVSS 7.6 High) is a remote code execution (RCE) vulnerability in the Windows SmartScreen security feature. Exploiting CVE-2024-21351 could expose sensitive data and compromise file integrity and availability. This requires human interaction. The victim must click to open a malicious file delivered by the attacker. CVE-2024-21351 was added to CISA’s catalog of known exploited vulnerabilities (KEV) on February 13, 2024 along with CVE-2024-21412.
CVE-2024-21412 Internet Shortcut Files Security Bypass
CVE-2024-21412 (CVSS 8.1 High) is a vulnerability in the security feature of Internet Shortcut Files that allows an unauthenticated attacker to distribute a specially crafted file intended to circumvent visible security measures. While the attacker cannot compel a user to access content under their control, they must persuade the user to actively click on the file link to initiate the exploit.
Mitigating CVE-2024-21351 and CVE-2024-21412
CVE-2024-21351 and CVE-2024-21412 can be patched by installing Microsoft’s February 2024 cumulative patch. Known as “Patch Tuesday”, Microsoft issues cumulative patches on the second Tuesday of each month. Since Windows 7 is past end-of-life support from Microsoft, patches will not be issued to remediate these vulnerabilities. Affected versions of Microsoft Windows that will receive patches include:
- Microsoft Windows Server 2022 & 2019
- Microsoft Windows 11 version 21H2, 22H2 & 23H2 for x64-based Systems
- Microsoft Windows 10 Versions 1809, 21H2 & 22H2 for 32-bit and x64-based Systems