- February 14, 2024
- Beazley Security Labs
Microsoft Outlook Critical Vulnerability Under Active Exploitation (CVE-2024-21410)
On February 13th, 2024, Microsoft addressed several vulnerabilities as part of its monthly Patch Tuesday. One of those vulnerabilities was in Microsoft Exchange Server and was reported as critical because the attack vector is 1) remote, 2) unauthenticated, and 3) low complexity.
Executive Summary
On February 13th, 2024, Microsoft addressed several vulnerabilities as part of its monthly Patch Tuesday. One of those vulnerabilities was in Microsoft Exchange Server and was reported as critical because the attack vector is 1) remote, 2) unauthenticated, and 3) low complexity. Additionally, a day later, Microsoft reported that the vulnerability was already known to be exploited in the wild.
The vulnerability (CVE-2024-21410) is a privilege escalation attack. The attack chain would involve a threat actor getting access to the target network, performing a credential-leak attack on a host, then replaying stolen credentials against the target Exchange server.
There are a few mitigating factors for this attack. 1) attacks of this type generally need network access first, 2) many organizations do not run their own exchange servers on-prem, and 3) there is already a tested, vendor supplied software patch available.
Lodestone strongly recommends that any organisations using Microsoft Outlook test and apply the patch (if they run Outlook on-prem), or verify their email provider has applied the patch (if they leverage a 3rd party to provide email via hosted exchange ).
Affected Systems or Products
The following products are reported vulnerable, according to Microsoft:
Microsoft Exchange Server 2019 prior to Cumulative Update 14 (CU14)
Microsoft Exchange Server 2016 prior to Cumulative Update 23 (CU23) and enabling Extended Protection Management
Mitigations / Workarounds
At time of writing, the best mitigation would be applying the Exchange Server 2019 CU14 patch released by Microsoft, as patch Tuesday releases happen every month and are rigorously tested. If an organization is running Exchange 2016, they would need to apply CU23 and additionally run a configuration update script provided by Microsoft detailed here.
There are additionally steps that can be taken to increase network defensive posture against this type of attack. Those steps are out of scope for this document, but Microsoft themselves have published and released a set of documents detailing those steps here.
Patches
At time of writing, a vendor supplied patch is available.
Exchange Server 2016 CU23, with additional install of their EPM enable script.
How Beazley Security is responding
Beazley Security is monitoring client perimeter devices discovered by our Attack Surface Management Solution, Karma, to identify potentially impacted devices and support organizations in remediation of any issues found.