With all the eye and noise targeted on the Microsoft cloud, it’s simple to neglect generally that there’s nonetheless a considerable fleet of on-premises servers operating SharePoint and Alternate. Regardless of the highlight being on the cloud, the engineering groups at Microsoft nonetheless work on on-premises Alternate, the most recent proof being the discharge of cumulative replace 14 for Alternate Server 2019 on 13 February 2024. This replace, formally often called the “2024 H1 Cumulative Replace for Alternate Server,” fixes a number of bugs, however extra importantly, accommodates a repair for a critical safety subject that’s being exploited within the wild.
Prolonged Safety Rides Once more
Again in September 2022, I wrote about Alternate including help for Home windows Prolonged Safety (EP). To briefly recap, EP is a Home windows function that improves Home windows’ built-in authentication performance for IIS internet apps (together with Alternate) by including a further channel binding token (CBT) to guard towards adversary-in-the-middle (AitM) assaults the place an attacker sits between the supply system and a goal system, intercepting, modifying, and/or replaying requests from the supply. On the time of that article, EP could possibly be enabled for Alternate by utilizing a set of Microsoft scripts, however preliminary uptake appeared pretty low. In August 2023, Microsoft forewarned its put in base that when Alternate 2019 CU14 was launched, Microsoft would default to enabling EP when CU14 was put in on an Alternate server. Now CU14 is right here.
CVE-2024-21410 is a Severe Vulnerability
Whereas not an ideal rule, it’s a secure guess that the majority safety points critical sufficient to be given a CVE quantity are price rapid consideration. When Microsoft points a CVE quantity, it’s a recognition {that a} vulnerability exists—the related CVSS severity score tells you ways critical the vulnerability is. On this case, the CVSS rating is 9.8 of a doable 10.0, so it’s nicely price your time to mitigate.
The vulnerability right here is that an attacker can mount an escalation-of-privilege (EOP) assault by capturing NTLM credentials and replaying them towards an Alternate server. It is a fairly traditional AitM assault, one which could be blocked in two methods: you may cease the credential theft on the consumer facet, or you may harden the server in order that it ignores the replayed credentials. The EP subsystem takes this latter strategy, however Microsoft has a information to mitigating hash-based replay assaults that has some useful steering for shielding the consumer. This assault will get a 9.8 as a result of it’s simple to conduct, could be carried out over a community, doesn’t require the attacker to have any privileges, and doesn’t require a focused consumer to take any motion. A profitable assault lets the attacker impersonate the sufferer to the Alternate server, that means the attacker can ship, learn, or delete gadgets within the consumer’s Alternate mailbox, or take administrative actions if the sufferer account has administrative privileges.
On this case, Microsoft requested this CVE quantity in December 2023, however they didn’t assign it to a particular subject till February 13, 2024. This project, and the ensuing disclosure, are as a result of Microsoft detected indicators that this vulnerability was being exploited within the wild. Regardless of Microsoft releasing EP help 16 months in the past, there have been sufficient unprotected servers to permit a big sufficient variety of profitable assaults for Microsoft to note. Though they haven’t publicly mentioned so, that is probably as a result of there are easy-to-use automated assault instruments circulating.
Enabling EP with CU14
It’s necessary to notice that each one CU14 does is apply EP by default whenever you set up it. You are able to do this manually utilizing the ExchangeExtendedProtectionManagement.ps1 script. In truth, you might already have enabled EP with this script, and you should still want to take action to allow EP in your Alternate 2016 servers (if any) after upgrading servers to CU23.
CU14 doesn’t examine to see whether or not your group is able to help EP. You continue to must run the Alternate Server Well being Checker script to confirm that your group (and servers) can help the enablement of EP, and even then, there are some caveats:
- When you’ve got public folders on Alternate 2016 CU22 or older, Alternate 2019 CU11 or older, or any model of Alternate 2013: first, you have to be ashamed of your lack of patching. Second, you can not deploy EP wherever or it’s going to break public folder entry all over the place; you’ll want to transfer your public folders to Alternate 2016 CU23 or Alternate 2019 CU14 (and decommission any Alternate 2013 servers in the event that they’re nonetheless round.)
- In the event you use SSL offloading on a load balancer, you could change to utilizing SSL bridging. Bridging will solely work in case you use the identical TLS certificates on the IIS entrance finish and the load balancer.
- When you’ve got SSL offloading for Outlook Anyplace enabled, the CU14 installer will flip it off for you.
- In the event you use the Trendy Hybrid agent to publish Alternate to the Web, you’ll want to disable EP on the Alternate servers which are additionally revealed.
In the event you simply run the Alternate CU14 setup utility in GUI mode, or by utilizing the command-line model of Setup with no defaults, the installer will allow EP on that server. It is a change from the ExchangeExtendedProtectionManagement script, which is able to allow EP on each Alternate server it could actually discover on the community. You may disable EP for the complete server with the /DoNotEnableEP change, or just for the EWS front-end listing with the /DoNotEnableEP_FEEWS change. The one recognized purpose to make use of /DoNotEnableEP_FEEWS is when updating a server that’s revealed through the Trendy Hybrid agent.
Validation and Checkout
Microsoft has a listing of Alternate options that will break after enabling EP, however the listing has not modified because the unique introduction of EP help. In the event you take note of the bullets within the earlier part, you’re unlikely to run into issues. Nevertheless, after updating all Alternate 2019 servers within the group to CU14, it is best to run the ExchangeExtendedProtectionManagement script with the -ShowExtendedProtection change to validate that each one the up to date servers are correctly configured with appropriately enabled.
Enabling EP by default is a long-overdue safety enchancment; Microsoft has given its prospects loads of advance warning of this alteration, in addition to ample documentation of why it’s necessary. Don’t postpone the improve.
+ There are no comments
Add yours