The critical vulnerability CVE-2024-21410 in Exchange Server, which was made public on 13.02.2024, is now being actively exploited. The vulnerability CVE-2024-21410 allows attackers to perform a NTLM relay attack (pass the hash). In this case, attackers can trick a client such as Outlook into logging on to a malicious relay in order to obtain NTLM credentials. The NTLM credentials can then be forwarded to the Exchange server using Pass the Hash. Attackers can then take over the identity and rights of the user on the Exchange server.
Activating Extended Protection protects against the vulnerability CVE-2024-21410. The recently published Cumulative Update 14 für Exchange Server 2019 aktiviert Extended Protection in der Standardeinstellung bei der Installation. Wichtig zu wissen ist aber, dass das CU14 für Exchange 2019 nicht die Schwachstelle an sich schließt. Nur die Aktivierung der Extended Protection verhindert das Ausnutzen der Shcwachstelle. Wenn bei der Installation des CU14 das Setup mit den Schaltern „/DoNotEnableEP“ oder „/DoNotEnableEP_FEEWS“ ausgeführt wurde, ist CVE-2024-21410 weiterhin ausnutzbar. Auch wenn nachträglich die Extended Protection wieder deaktiviert wurde, sollte Extended Protection unbedingt wieder aktiviert werden.
The biggest obstacle to activating the Extended Protectionshould be the requirement for the SSL certificate. The same certificate must be used on all devices such as load balancers and web application firewalls that perform SSL inspection or SSL bridging. You therefore need to think about how you can install and renew the same certificate on all relevant devices. SSL Offloading is not supported with Extended Protection.
With the Exchange Health Checker can be used to check whether Extended Protection is activated.
Exchange Server 2016 is also vulnerable to CVE-2024-21410, activating Extended Protection also helps here. For Exchange 2016, activate Extended Protection via a PowerShell Script must be activated. A security update that closes the vulnerability without activating Extended Protection has not yet been published.
