msrc_cve-2024-21410
Vulnerability from csaf_microsoft
Published
2024-02-13 08:00
Modified
2024-03-01 08:00
Summary
Microsoft Exchange Server Elevation of Privilege Vulnerability
Notes
Additional Resources
To determine the support lifecycle for your software, see the Microsoft Support Lifecycle: https://support.microsoft.com/lifecycle
Disclaimer
The information provided in the Microsoft Knowledge Base is provided \"as is\" without warranty of any kind. Microsoft disclaims all warranties, either express or implied, including the warranties of merchantability and fitness for a particular purpose. In no event shall Microsoft Corporation or its suppliers be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages, even if Microsoft Corporation or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply.
Customer Action
Required. The vulnerability documented by this CVE requires customer action to resolve.
{
"document": {
"acknowledgments": [
{
"names": [
"Internally found by Microsoft"
]
}
],
"aggregate_severity": {
"namespace": "https://www.microsoft.com/en-us/msrc/security-update-severity-rating-system",
"text": "Critical"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Public",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en-US",
"notes": [
{
"category": "general",
"text": "To determine the support lifecycle for your software, see the Microsoft Support Lifecycle: https://support.microsoft.com/lifecycle",
"title": "Additional Resources"
},
{
"category": "legal_disclaimer",
"text": "The information provided in the Microsoft Knowledge Base is provided \\\"as is\\\" without warranty of any kind. Microsoft disclaims all warranties, either express or implied, including the warranties of merchantability and fitness for a particular purpose. In no event shall Microsoft Corporation or its suppliers be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages, even if Microsoft Corporation or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply.",
"title": "Disclaimer"
},
{
"category": "general",
"text": "Required. The vulnerability documented by this CVE requires customer action to resolve.",
"title": "Customer Action"
}
],
"publisher": {
"category": "vendor",
"contact_details": "secure@microsoft.com",
"name": "Microsoft Security Response Center",
"namespace": "https://msrc.microsoft.com"
},
"references": [
{
"category": "self",
"summary": "CVE-2024-21410 Microsoft Exchange Server Elevation of Privilege Vulnerability - HTML",
"url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2024-21410"
},
{
"category": "self",
"summary": "CVE-2024-21410 Microsoft Exchange Server Elevation of Privilege Vulnerability - CSAF",
"url": "https://msrc.microsoft.com/csaf/2024/msrc_cve-2024-21410.json"
},
{
"category": "external",
"summary": "Microsoft Exploitability Index",
"url": "https://www.microsoft.com/en-us/msrc/exploitability-index?rtc=1"
},
{
"category": "external",
"summary": "Microsoft Support Lifecycle",
"url": "https://support.microsoft.com/lifecycle"
},
{
"category": "external",
"summary": "Common Vulnerability Scoring System",
"url": "https://www.first.org/cvss"
}
],
"title": "Microsoft Exchange Server Elevation of Privilege Vulnerability",
"tracking": {
"current_release_date": "2024-03-01T08:00:00.000Z",
"generator": {
"date": "2024-12-31T18:51:29.819Z",
"engine": {
"name": "MSRC Generator",
"version": "1.0"
}
},
"id": "msrc_CVE-2024-21410",
"initial_release_date": "2024-02-13T08:00:00.000Z",
"revision_history": [
{
"date": "2024-02-13T08:00:00.000Z",
"legacy_version": "1",
"number": "1",
"summary": "Information published."
},
{
"date": "2024-02-14T08:00:00.000Z",
"legacy_version": "1.1",
"number": "2",
"summary": "Updated the Exploited flag and Exploitability Assessment to indicate that Microsoft was aware of exploitation of this vulnerability. This is an informational change only."
},
{
"date": "2024-02-15T08:00:00.000Z",
"legacy_version": "1.2",
"number": "3",
"summary": "Added FAQ information. This is an informational change only."
},
{
"date": "2024-03-01T08:00:00.000Z",
"legacy_version": "1.3",
"number": "4",
"summary": "Updated FAQ information. This is an informational change only."
}
],
"status": "final",
"version": "4"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"category": "product_version_range",
"name": "\u003c15.01.2507.037",
"product": {
"name": "Microsoft Exchange Server 2016 Cumulative Update 23 \u003c15.01.2507.037",
"product_id": "3"
}
},
{
"category": "product_version",
"name": "15.01.2507.037",
"product": {
"name": "Microsoft Exchange Server 2016 Cumulative Update 23 15.01.2507.037",
"product_id": "12039"
}
}
],
"category": "product_name",
"name": "Microsoft Exchange Server 2016 Cumulative Update 23"
},
{
"branches": [
{
"category": "product_version_range",
"name": "\u003c15.2.1544.004",
"product": {
"name": "Microsoft Exchange Server 2019 Cumulative Update 13 \u003c15.2.1544.004",
"product_id": "2"
}
},
{
"category": "product_version",
"name": "15.2.1544.004",
"product": {
"name": "Microsoft Exchange Server 2019 Cumulative Update 13 15.2.1544.004",
"product_id": "12191"
}
}
],
"category": "product_name",
"name": "Microsoft Exchange Server 2019 Cumulative Update 13"
},
{
"branches": [
{
"category": "product_version_range",
"name": "\u003c15.2.1544.004",
"product": {
"name": "Microsoft Exchange Server 2019 Cumulative Update 14 \u003c15.2.1544.004",
"product_id": "1"
}
},
{
"category": "product_version",
"name": "15.2.1544.004",
"product": {
"name": "Microsoft Exchange Server 2019 Cumulative Update 14 15.2.1544.004",
"product_id": "12293"
}
}
],
"category": "product_name",
"name": "Microsoft Exchange Server 2019 Cumulative Update 14"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2024-21410",
"cwe": {
"id": "CWE-287",
"name": "Improper Authentication"
},
"notes": [
{
"category": "general",
"text": "Microsoft",
"title": "Assigning CNA"
},
{
"category": "faq",
"text": "Download Mitigating Pass the Hash (PtH) Attacks and Other Credential Theft, Version 1 and 2. This document discusses Pass-the-Hash (PtH) attacks against the Windows operating systems and provides holistic planning strategies that, when combined with the Windows security features, will provide a more effective defense against pass-the-hash attacks.",
"title": "Where can I find more information about NTLM relay attacks?"
},
{
"category": "faq",
"text": "An attacker could target an NTLM client such as Outlook with an NTLM credentials-leaking type vulnerability. The leaked credentials can then be relayed against the Exchange server to gain privileges as the victim client and to perform operations on the Exchange server on the victim\u0027s behalf. For more information about Exchange Server\u0027s support for Extended Protection for Authentication(EPA), please see Configure Windows Extended Protection in Exchange Server.",
"title": "How could an attacker exploit this vulnerability?"
},
{
"category": "faq",
"text": "An attacker who successfully exploited this vulnerability could relay a user\u0027s leaked Net-NTLMv2 hash against a vulnerable Exchange Server and authenticate as the user.",
"title": "According to the CVSS metrics, successful exploitation of this vulnerability could lead to major loss of confidentiality (C:H), integrity (I:H) and availability (A:H). What does that mean for this vulnerability?"
},
{
"category": "faq",
"text": "This CVE for Exchange Server 2019 Cumulative Update 14 enforces previous mitigations by default. We provided an optional mitigation for NTLM relay attacks in general in August 2022. These were documented in an Outlook CVE (CVE-2023-23397). Microsoft was aware of targeted NTLM relay attacks back in 2023; however, we are not aware of any current exploitation of NTLM relay attacks against Exchange Server.\nMicrosoft strongly recommends installing CU14 on Exchange Server 2019 or enabling Extended Protection within your organization as per Configure Windows Extended Protection in Exchange Server.\nPrior to the Exchange Server 2019 Cumulative Update 14 (CU14) update, Exchange Server did not enable NTLM credentials Relay Protections (called Extended Protection for Authentication or EPA) by default. Without the protection enabled, an attacker can target Exchange Server to relay leaked NTLM credentials from other targets (for example Outlook). Exchange Server 2019 CU14 enables EPA by default on Exchange servers. For more information regarding this update, please refer to the latest Exchange Blog Post.\nMicrosoft introduced Extended Protection support as an optional feature for Exchange Server 2016 CU23 with the August 2022 security update (build 15.01.2507.012). We strongly recommend to download the latest security update for Exchange Server 2016 CU23 prior turning Extended Protection by the help of the ExchangeExtendedProtectionManagement.ps1 on.\nYes. If, for example, you are running Exchange Server 2019 CU13 or earlier and you have previously run the script then you are protected from this vulnerability, however, Microsoft strongly suggests installing the latest cumulative update.\nRun the latest version of the Exchange Server Health Checker script. The script will provide you with an overview of the Extended Protection status of your server.",
"title": "Why is this CVE listed as being exploited?"
}
],
"product_status": {
"fixed": [
"12039",
"12191",
"12293"
],
"known_affected": [
"1",
"2",
"3"
]
},
"references": [
{
"category": "self",
"summary": "CVE-2024-21410 Microsoft Exchange Server Elevation of Privilege Vulnerability - HTML",
"url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2024-21410"
},
{
"category": "self",
"summary": "CVE-2024-21410 Microsoft Exchange Server Elevation of Privilege Vulnerability - CSAF",
"url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2024-21410"
}
],
"remediations": [
{
"category": "vendor_fix",
"date": "2024-02-13T08:00:00.000Z",
"details": "15.01.2507.037:Security Update:https://support.microsoft.com/help/5036386",
"product_ids": [
"3"
],
"url": "https://support.microsoft.com/help/5036386"
},
{
"category": "vendor_fix",
"date": "2024-02-13T08:00:00.000Z",
"details": "15.2.1544.004:Security Update:https://support.microsoft.com/help/5035606",
"product_ids": [
"2",
"1"
],
"url": "https://support.microsoft.com/help/5035606"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"environmentalsScore": 0.0,
"exploitCodeMaturity": "FUNCTIONAL",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"remediationLevel": "OFFICIAL_FIX",
"reportConfidence": "CONFIRMED",
"scope": "UNCHANGED",
"temporalScore": 9.1,
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:F/RL:O/RC:C",
"version": "3.1"
},
"products": [
"1",
"2",
"3"
]
}
],
"threats": [
{
"category": "impact",
"details": "Elevation of Privilege"
},
{
"category": "exploit_status",
"details": "Exploited:Yes;Latest Software Release:Exploitation Detected"
}
],
"title": "Microsoft Exchange Server Elevation of Privilege Vulnerability"
}
]
}
Loading…
Loading…
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
- Confirmed: The vulnerability is confirmed from an analyst perspective.
- Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
- Patched: This vulnerability was successfully patched by the user reporting the sighting.
- Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
- Not confirmed: The user expresses doubt about the veracity of the vulnerability.
- Not patched: This vulnerability was not successfully patched by the user reporting the sighting.