top of page
  • Writer's pictureAnup Ghosh

97K Microsoft Exchange Servers Vulnerable to Privilege Escalation Attacks

Updated: Feb 25



The Download

On Patch Tuesday February 13th, 2024, Microsoft disclosed a bevy of vulnerabilities -- 73 in all. A couple of these vulnerabilities with CVSS 9.8 rating are worth paying attention to: CVE-2024-21410 and CVE-2024-21413 for Microsoft Exchange and Microsoft Outlook, respectively. CISA has added CVE-2024-21410 (Microsoft Exchange) to the Known Exploitable Vulnerability list. This vulnerability allows an attacker to copy a victim's NTLM authentication credentials from Microsoft Outlook to login to the Exchange server with the victim's privileges bypassing standard authentication and gaining full access to the victim's email and files.


Shadowserver.org was able to tally up to 97,000 Microsoft Exchange servers on the Internet that are potentially susceptible to this attack unless other mitigations are performed. This also points to the fact that there are still a lot of on-prem Exchange servers out on the Internet creating a rich attack surface.


CVE-2024-21413 (Microsoft Outlook) is an interesting one in the same context. A threat actor can craft a spearphish email to a victim with a malicious link that bypasses the protected view protocol in order to capture and leak the victim's NTLM credentials, which in turn can be used against CVE-2024-21410 to exploit the Microsoft Exchange server. On top of it this vulnerability allow remote code execution (RCE) on the client machine.


What You Can Do

If you have an on-prem Exchange server (active or legacy) you should apply the patch from Microsoft. In addition, consider migrating to cloud hosted M365. While the EPSS score on this vulnerability is still below 1%, we highly recommend patching this vulnerability with urgency as CISA has included it on its Known Exploitable Vulnerability list. We can presume CISA/US Gov has intelligence about this vulnerability being exploited.


In addition, apply the Microsoft Office patch to address the Outlook vulnerability (CVE-2024-21413) to prevent compromise on the client. To learn more, see: https://www.bleepingcomputer.com/news/security/over-28-500-exchange-servers-vulnerable-to-actively-exploited-bug/.


Special thanks to Patrick Garrity for a solid discussion on these vulnerabilities and recommendations.





130 views

Comments


bottom of page