Microsoft has enabled the security feature “Extended Protection for Authentication” in the latest Cumulative Update for Exchange server 2019 in response to the “NTLM Credentials-Leaking” vulnerability addressed in the CVE 2024 21410. Exchange Administrators are advised to enable the “extended Protection for Authentication” to all the applicable Exchange server versions as soon as possible.
What is the impact due to this Vulnerability?
An attacker could target an NTLM client such as Outlook with an NTLM credentials-leaking type vulnerability. The leaked credentials can then be relayed against the Exchange server to gain privileges as the victim client and to perform operations on the Exchange server on the victim’s behalf.
What are the Exchange versions affected by this vulnerability?
All Exchange server versions are affected by this vulnerability that includes Exchange Server 2013, 2016 and 2019.
What is the Mitigation plan from Microsoft?
Microsoft had already addressed this vulnerability by releasing an “Add-on” protection feature called “Extended Protection for Authentication“ for Exchange. This feature is now enabled automatically in Exchange server 2019 with the latest Cumulative Update 14. For Exchange 2016 and 2013 versions, this feature remains as “Add-on” hence needs to be enabled manually by Exchange Administrators.
What are the Pre-requisites to enable “Extended Protection for Authentication” (EPA)?
The following are high-level prerequisites that need to be validated against the Exchange servers before enabling “EPA.”
- All Exchange servers should be in the latest TLS versions.
- All Exchange servers should be in the latest CU and SU versions.
- SSL Offloading should be disabled.
- SSL Bridging should be disabled.
- Public Folders should be hosted on the Latest Exchange 2016 versions in coexistence scenarios.
- Exchange Hybrid configuration should be validated against the EPA.
How can Administrators validate if “EPA” is applied to the Exchange environment?
Exchange Administrators can run the latest “Exchange Server Health Check” script from Microsoft in the Exchange environment to identify the latest vulnerabilities and the EPA protection status.
How can Administrators apply this feature in the Exchange environment?
Administrators can install the latest CU for Exchange 2019 and get “EPA” protection enabled by default. For Exchange 2016 and 2013 versions, the Administrators can download the EPA script from Microsoft and run it in the Exchange environment after carefully evaluating the requirements. Administrators can also apply this feature manually in the Exchange environment.
Can Administrators perform a rollback of this change if required?
Yes, Administrators can run the EPA script with Rollback switch to revert the changes.
Helient strongly recommends taking the necessary steps to enable the security feature “Extended Protection for Authentication” in the Exchange environments after careful evaluation. If you would like more information or assistance, please contact our industry-leading experts at service@helient.com .