How to find Microsoft Exchange Servers on your network


Latest Microsoft Exchange Server vulnerability #

As part of its updates released on February 13, 2024, Microsoft has disclosed a vulnerability in Microsoft Exchange that would allow attackers to authenticate to Microsoft Exchange servers using a captured NTLM hash (a so-called “pass-the-hash” vulnerability). This would allow an attacker to authenticate to an Exchange server as any user for whom the attacker passed a valid NTLM hash.

NTLM authentication is an authentication mechanism used by Microsoft Windows and related products that uses a challenge-response protocol to avoid transmitting user passwords directly across the network. A “pass-the-hash” vulnerability is a form of credential reuse vulnerability, where an attacker who posesses a hashed form of a victim’s password can use that hash directly for authentication. Microsoft’s Mitigating Pass-the-Hash (PtH) Attacks and Other Credential Theft discusses this sort of vulnerability in detail.

This vulnerability, tracked as CVE-2024-21410, has a CVSS score of 9.1, indicating a critical vulnerability. Note that Microsoft has indicated that there is limited evidence that this vulnerability has been exploited in the wild.

What is the impact? #

Upon successful exploitation of this vulnerability, an attacker would be able use a compromised NTLM hash to log into an Exchange server as a different user, with all of the privileges of that user.

Are updates or workarounds available? #

Enabling Extended Protection will mitigate this vulnerability.

Additionally, Microsoft has released a mitigtation as part of the 2024 H1 cumulative update for Exchange Server.

How do I find Exchange servers with runZero? #

From the Services Inventory, use the following query to locate potentially vulnerable assets your network that may need remediation or mitigation:

product:"Exchange Server"
The prebuilt query is available in the Queries Library

You can also check out our Queries Library for other useful inventory queries.

September 2022 vulnerabilities #

On September 30, 2022, GTSC, a Vietnamese security firm, discovered two zero-day vulnerabilities that affected Microsoft Exchange Servers 2013, 2016, and 2019. These two vulnerabilities were tracked as CVE-2022-41040 and CVE-2022-41082. According to Microsoft, they were aware of "limited targeted attacks using the two vulnerabilities to get into users' systems." In order for attackers to successfully exploit the vulnerabilities, they must have authenticated access to the vulnerable Microsoft Exchange Server.

What was the impact? #

The first vulnerability, CVE-2022-41040, was a Server-Side Request Forgery (SSRF) vulnerability. The second vulnerability, CVE-2022-41082, allowed remote code execution (RCE) when the attacker had access to PowerShell. According to GTSC, it appeared that attackers could exploit the vulnerabilities to place webshells on exploited systems and set the stage for post-exploitation activities.

On November 8, 2022, Microsoft released security updates for CVE-2022-41040 and CVE-2022-41082. According to their guidance at the time, Microsoft Exchange Online Customers did not need to take any action. However, on-premises Microsoft Exchange customers were advised to take action by reviewing and applying Microsoft's mitigation steps on URL Rewrite Instructions and block exposed Remote PowerShell ports.

Written by Rob King

Rob King is the Director of Security Research at runZero. Over his career Rob has served as a senior researcher with KoreLogic, the architect for TippingPoint DVLabs, and helped get several startups off the ground. Rob helped design SC Magazine's Data Leakage Prevention Product of the Year for 2010, and was awarded the 3Com Innovator of the Year Award in 2009. He has been invited to speak at BlackHat, Shmoocon, SANS Network Security, and USENIX.

More about Rob King
Subscribe Now

Get the latest news and expert insights delivered in your inbox.

Welcome to the club! Your subscription to our newsletter is successful.

Related Articles

Rapid Response
How to find PKIX-SSH services on your network
A fork of OpenSSH called PKIX-SSH was impacted by the recently discovered regreSSHion vulnerability. Here's how to find impacted services on your...
Rapid Response
How to find Westermo devices on your network
Westermo has disclosed several vulnerabilities regarding their Lynx Industrial Ethernet switches. Here's how to find them on your network.
Rapid Response
How to find Kaspersky products with runZero
The US government has banned the sale of Kaspersky products and services. Here's how to find Kaspersky products in your network.
Rapid Response
How to find Microsoft Message Queuing (MSMQ) servers on your network
A new pre-auth use-after-free vulnerability in the Microsoft Message Queuing (MSMQ) service is rated critical. Find impacted systems now with runZero.

See Results in Minutes

Get complete visibility into IT, OT, & IoT — without agents, credentials, or hardware.

© Copyright 2024 runZero, Inc. All Rights Reserved