As part of its updates released on February 13, 2024, Microsoft has disclosed a vulnerability in Microsoft Exchange that would allow attackers to authenticate to Microsoft Exchange servers using a captured NTLM hash (a so-called “pass-the-hash” vulnerability). This would allow an attacker to authenticate to an Exchange server as any user for whom the attacker passed a valid NTLM hash.
NTLM authentication is an authentication mechanism used by Microsoft Windows and related products that uses a challenge-response protocol to avoid transmitting user passwords directly across the network. A “pass-the-hash” vulnerability is a form of credential reuse vulnerability, where an attacker who posesses a hashed form of a victim’s password can use that hash directly for authentication. Microsoft’s Mitigating Pass-the-Hash (PtH) Attacks and Other Credential Theft discusses this sort of vulnerability in detail.
This vulnerability, tracked as CVE-2024-21410, has a CVSS score of 9.1, indicating a critical vulnerability. Note that Microsoft has indicated that there is limited evidence that this vulnerability has been exploited in the wild.
What is the impact?
Upon successful exploitation of this vulnerability, an attacker would be able use a compromised NTLM hash to log into an Exchange server as a different user, with all of the privileges of that user.
Are updates or workarounds available?
Enabling Extended Protection will mitigate this vulnerability.
Additionally, Microsoft has released a mitigtation as part of the 2024 H1 cumulative update for Exchange Server.
How do I find Exchange servers with runZero?
From the Services Inventory, use the following query to locate potentially vulnerable assets your network that may need remediation or mitigation:
product:"Exchange Server"About Version 2 Digital
Version 2 Digital is one of the most dynamic IT companies in Asia. The company distributes a wide range of IT products across various areas including cyber security, cloud, data protection, end points, infrastructures, system monitoring, storage, networking, business productivity and communication products.
Through an extensive network of channels, point of sales, resellers, and partnership companies, Version 2 offers quality products and services which are highly acclaimed in the market. Its customers cover a wide spectrum which include Global 1000 enterprises, regional listed companies, different vertical industries, public utilities, Government, a vast number of successful SMEs, and consumers in various Asian cities.
About runZero
runZero, a network discovery and asset inventory solution, was founded in 2018 by HD Moore, the creator of Metasploit. HD envisioned a modern active discovery solution that could find and identify everything on a network–without credentials. As a security researcher and penetration tester, he often employed benign ways to get information leaks and piece them together to build device profiles. Eventually, this work led him to leverage applied research and the discovery techniques developed for security and penetration testing to create runZero.
