In February 2024, Microsoft disclosed a major vulnerability affecting Exchange Server, tracked as CVE-2024-21410. This security flaw allows attackers to elevate their privileges, potentially gaining unauthorized access to sensitive data across corporate email infrastructure. In this post, we’ll break down how this vulnerability works, look at the exploit details, and walk through example code snippets. All references and original advisories are included for in-depth reading.
What is CVE-2024-21410?
CVE-2024-21410 is a serious security vulnerability in Microsoft Exchange Server, specifically affecting versions before the latest patches released in February 2024. An attacker can exploit this bug to get higher-level privileges, typically SYSTEM or administrator, by replaying NTLM authentication data (also known as an NTLM relay attack).
Microsoft’s advisory:
Microsoft Security Response Center (MSRC) CVE-2024-21410 Advisory
NTLM Relay Basics:
Exchange uses NTLM for authentication. If NTLM is enabled and not mitigated, attackers can relay authentication requests to another service, effectively impersonating users.
How the Attack Happens:
The attacker tricks Exchange Server into authenticating with a server the attacker controls. The captured NTLM credentials are then relayed to other services (such as the Exchange EWS API), granting the attacker elevated access.
Impact:
Successful exploitation lets a remote, authenticated attacker execute code as SYSTEM, access sensitive mailbox data, or further pivot inside the corporate network.
Exploit Details: How Attackers Leverage CVE-2024-21410
The attack revolves around relaying NTLM authentication requests from Exchange to another service the attacker controls. Here’s a step-by-step breakdown, including code snippets for clarity.
Attackers often use Impacket tools to relay NTLM
ntlmrelayx.py -t https://exchange-victim/ews/exchange.asmx --escalate-user
This sets up an SMB listener. When Exchange, or any client, connects and presents credentials, ntlmrelayx relays those credentials to the Exchange EWS endpoint.
Step 2: Trick Exchange into Authenticating
Tools like Responder or custom scripts force the Exchange server (using misconfigured DNS or LLMNR/NBNS poisoning) to connect to the attacker’s SMB listener.
Example using Responder
responder -I eth -wrf
Step 3: Relay NTLM and Elevate Privileges
When the Exchange server unwittingly connects, its NTLM credentials are captured and relayed. If protections like Extended Protection for Authentication (EPA) aren’t enabled, the relay is successful. The attacker can now issue Exchange Web Services (EWS) requests as the Exchange server — potentially reading mailboxes, or running commands.
Sample Impacket relay output
[*] Incoming connection from 10.10.10.5
[*] Authenticating against https://exchange-victim/ews/exchange.asmx as EXCHANGE$
[+] Authentication Success!
Microsoft issued fixes. Patch your Exchange servers as described here:
Security Update Guide - CVE-2024-21410
Enforce SMB Signing and EPA
Require SMB signing and enable Extended Protection for Authentication.
Monitor for Suspicious Connections
Monitor traffic for signs of SMB/NTLM relay, especially unexpected connections from Exchange to other servers.
Conclusion
CVE-2024-21410 underscores the dangers of legacy protocols like NTLM and the importance of keeping your Exchange infrastructure up to date. By understanding the mechanics, as illustrated with the code and tactics above, defenders can prioritize mitigation and detection efforts.
Further Reading:
- Microsoft Advisory CVE-2024-21410
- Impacket NTLM Relay
- Exchange Team Blog: Extended Protection for Authentication
If you administer Exchange, ensure you're patched — and review NTLM settings today!
Timeline
Published on: 02/13/2024 18:15:59 UTC
Last modified on: 02/16/2024 02:00:03 UTC