Threat Advisory: Microsoft Exchange Server Vulnerability

As part of our 24×7 threat intelligence activities, our experts have noted a critical vulnerability compromising the 3CX desktop app.

CVE-2024-21410 – CVSS Score 9.8 – Critical

This is a security threat advisory impacting Microsoft Exchange servers. The vulnerability (CVE-2024-21410) is rated as Critical (CVSS 9.8) and allows a remote attacker to relay leaked credentials against an email client to gain privileges to act as an authorised user.

Affected vendors: Microsoft

Affected resource: Exchange servers 2016 & Exchange Servers 2019

What versions of Exchange are impacted?

The vulnerability impacts the following versions of Exchange Server where Windows Extended Protection is not enabled:

• Exchange servers 2016
• Exchange Servers 2019

For Exchange Server 2019, Windows Extended Protection is enabled by default from Cumulative Update 14 or later (version 15.2.1544.04 or greater).

For Exchange Server 2016, Windows Extended Protection is available from Cumulative Update 23 or later (version 15.1.2507.6 or greater), however is NOT enabled by default. It can be enabled using the ExchangeExtendedProtectionManagement.ps1 script from Microsoft as described below:

Exchange Server support for Windows Extended Protection | Microsoft Learn

How do I confirm if I am exposed?

We recommend that you take the following steps to confirm if you are exposed to this vulnerability.

Exchange 2019

• Run the following PowerShell cmdlet in the Exchange Management Shell to retrieve your build number:
  Get-ExchangeServer | Format-List Name,Edition,AdminDisplayVersion
• Ensure that the build number is greater than 15.2.1544.04.
• If the build number is lower than 15.2.1544.04 then your installation of Exchange 2019 is not on cumulative update 14 or higher and is potentially vulnerable
• If the build number is 15.2.1544.04 or higher, confirm that Windows Extended Protection is enabled by running the latest version of the Exchange HealthChecker.ps1 script from the following location:
  HealthChecker – Microsoft – CSS-Exchange
  Note: The script should be run from the Exchange Management Shell. Please see the advice at the link above.
• From the output file you can confirm if Extended Protection is Enabled

Exchange 2016

• Run the following PowerShell cmdlet in the Exchange Management Shell to retrieve your build number:
  Get-ExchangeServer | Format-List Name,Edition,AdminDisplayVersion
• Ensure that the build number is greater than 15.1.2507.6. If the build number is lower, then your installation of Exchange Server does not support Windows Extended Protection and is vulnerable.
• If the build number is 15.1.2507.6 or higher, confirm that Windows Extended Protection is enabled by running the latest version of the Exchange HealthChecker.ps1 script from the following location:
  HealthChecker – Microsoft – CSS-Exchange
  Note: The script should be run from the Exchange Management Shell. Please see the advice at the link above.
• From the output file you can confirm if Extended Protection is Enabled

What do I do if Exchange Server is vulnerable?

Exchange Server 2019

Update vulnerable servers to Exchange Server 2019 Cumulative Update 14 or higher.
Exchange Server build numbers and release dates | Microsoft Learn

Windows Extended Protection will be enabled by default but you can confirm the presence of this setting by using the advice above to run the Exchange HealthChecker script.

Exchange 2016

Update vulnerable servers to Exchange Server 2016 Cumulative Update 23 and security update if not on this version already

Then enable Windows Extended Protection by running the ExchangeExtendedProtectionManagement.ps1 script from Exchange Server support for Windows Extended Protection | Microsoft Learn

If you require any assistance, please do not hesitate to get in contact.