CVE-2024-21410

What is Microsoft Exchange Server?

Microsoft Exchange Server is the dominant enterprise on-premises email server, managing email, calendar, contacts, and task data for hundreds of thousands of organizations. Exchange is deeply integrated with Active Directory and processes authentication for all users in an organization's email domain. A compromised Exchange server represents a critical intelligence target: it holds all organizational email communications, calendar data, and contact information. Exchange has historically been a high-priority target for espionage actors — the 2021 ProxyLogon/ProxyShell campaigns compromised tens of thousands of Exchange servers globally, and Exchange vulnerabilities continue to attract immediate exploitation.

Overview

CVE-2024-21410 is an NTLM relay vulnerability (improper authentication, CWE-287) in Microsoft Exchange Server. An attacker can coerce Exchange to authenticate (via NTLM) to an attacker-controlled server, capture the NTLM credentials, and relay them back to Exchange to authenticate as the victim user — performing operations on Exchange (reading email, sending email, accessing mailboxes) with the victim's permissions. The root cause is that Exchange did not enforce Extended Protection for Authentication (EPA/channel binding) on its HTTP endpoints, allowing NTLM credentials to be relayed without binding them to a specific TLS channel. Microsoft's fix in Exchange Server 2019 CU14 enables EPA by default. CISA added it to the KEV catalog just 2 days after the patch.

Affected Versions

Note: Exchange Server 2019 CU14 is the first version to enable Extended Protection for Authentication (EPA) by default. Earlier Exchange versions support EPA but require manual enablement.

Technical Details

NTLM Relay background: NTLM is a Windows authentication protocol where a client proves its identity by responding to a server challenge with a hash of its password. A "relay attack" occurs when an attacker intercepts an NTLM authentication attempt and simultaneously replays it to a different server — authenticating to the target server as the victim without knowing the victim's password.

Exchange's vulnerability: Exchange's HTTP endpoints accepted NTLM authentication without Extended Protection (channel binding tokens/service bindings). Without EPA, an NTLM credential obtained for one Exchange connection can be relayed to any other Exchange endpoint — there's no binding between the credential and the specific TLS session it was captured from.

Attack chain:

1. Attacker coerces an Exchange user or service account to initiate NTLM authentication to an attacker-controlled server (via a phishing email with a UNC link, a CVE-2024-21413 MonikerLink, or other credential coercion technique)
2. Attacker captures the NTLM authentication tokens
3. Attacker relays the tokens to the victim's Exchange Autodiscover or EWS (Exchange Web Services) endpoint
4. Exchange accepts the relayed authentication as if it came from the legitimate user
5. Attacker reads all email in the victim's mailbox, sends email as the victim, or accesses calendar/contacts

Combined with CVE-2024-21413: The MonikerLink vulnerability in Outlook (CVE-2024-21413) provides an ideal credential coercion method — an attacker emails a MonikerLink to the target, Outlook automatically triggers an NTLM authentication to the attacker's server, and the attacker relays those credentials to Exchange via CVE-2024-21410. Together, the two CVEs form a complete unauthenticated email-to-Exchange-access attack chain.

Exploitation Context

CISA added CVE-2024-21410 to the KEV catalog 2 days after the February 13, 2024 patch. NTLM relay attacks against Exchange have been a known attack class for years (PetitPotam, PrinterBug, etc.), and Microsoft's enabling of EPA by default in CU14 was long-overdue. The rapid KEV listing indicates immediate exploitation attempts against unpatched Exchange servers after the patch provided patch-diff-based exploitation guidance.

Remediation

1. Upgrade Exchange Server 2019 to CU14 (released February 2024) — EPA is enabled by default in CU14. The CISA deadline was March 7, 2024.
2. For Exchange 2016 and older CU13: manually enable Extended Protection for Authentication per Microsoft's documentation using the ExchangeExtendedProtectionManagement.ps1 script.
3. Enable SMB signing on all Windows systems to prevent NTLM relay attacks over SMB (requires both client and server to have signing enabled).
4. Block inbound NTLM relay vectors: enable LDAP signing and LDAP channel binding on domain controllers; enable SMB signing organizationally.
5. Block outbound SMB (port 445) at the perimeter to prevent external NTLM credential coercion (eliminates the most common MonikerLink/UNC coercion path).
6. Monitor Exchange EWS and Autodiscover access logs for unexpected authenticated sessions from unusual source IPs or user agents.