Security Updates for Microsoft Exchange Server (February 2024)

2024-02-1300:00:00

www.tenable.com

189

microsoft exchange server

security update

cve-2024-21410

vulnerability

kb5035606

CVSS3

9.8

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

AI Score

9.9

Confidence

High

EPSS

0.083

Percentile

94.5%

JSON

The Microsoft Exchange Server installed on the remote host is missing a security update. It is, therefore, affected by a vulnerability as referenced in the Feb, 2024 security bulletin.

Microsoft Exchange Server Elevation of Privilege Vulnerability (CVE-2024-21410)

While Exchange Server 2016 is included in the advisory as an affected product, no patch has been issued for mitigation, and no version is documented as including a fix for the vulnerability. Microsoft recommends users enable Extended Protection for Authentication (EPA) to protect against the vulnerability.

Note that Nessus has not tested for this issue but has instead relied only on the application’s self-reported version number.

#%NASL_MIN_LEVEL 80900
##
# (C) Tenable, Inc.
##

include('compat.inc');

if (description)
{
  script_id(190473);
  script_version("1.6");
  script_set_attribute(attribute:"plugin_modification_date", value:"2024/09/11");

  script_cve_id("CVE-2024-21410");
  script_xref(name:"MSFT", value:"MS24-5035606");
  script_xref(name:"MSKB", value:"5035606");
  script_xref(name:"CISA-KNOWN-EXPLOITED", value:"2024/03/07");
  script_xref(name:"IAVA", value:"2024-A-0088-S");

  script_name(english:"Security Updates for Microsoft Exchange Server (February 2024)");

  script_set_attribute(attribute:"synopsis", value:
"The Microsoft Exchange Server installed on the remote host is affected by a vulnerability.");
  script_set_attribute(attribute:"description", value:
"The Microsoft Exchange Server installed on the remote host is missing a security update. It is, therefore, affected by a
vulnerability as referenced in the Feb, 2024 security bulletin.

  - Microsoft Exchange Server Elevation of Privilege Vulnerability (CVE-2024-21410)

While Exchange Server 2016 is included in the advisory as an affected product, no patch has been issued for mitigation,
and no version is documented as including a fix for the vulnerability. Microsoft recommends users enable Extended
Protection for Authentication (EPA) to protect against the vulnerability.

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version
number.");
  script_set_attribute(attribute:"solution", value:
"Microsoft has released the following security updates to address this issue:
  -KB5035606");
  # https://msrc.microsoft.com/update-guide/vulnerability/CVE-2024-21410
  script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?18dfb6b3");
  script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C");
  script_set_cvss_temporal_vector("CVSS2#E:F/RL:OF/RC:C");
  script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H");
  script_set_cvss3_temporal_vector("CVSS:3.0/E:F/RL:O/RC:C");
  script_set_attribute(attribute:"cvss_score_source", value:"CVE-2024-21410");

  script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
  script_set_attribute(attribute:"exploit_available", value:"true");

  script_set_attribute(attribute:"vuln_publication_date", value:"2024/02/13");
  script_set_attribute(attribute:"patch_publication_date", value:"2024/02/13");
  script_set_attribute(attribute:"plugin_publication_date", value:"2024/02/13");

  script_set_attribute(attribute:"plugin_type", value:"local");
  script_set_attribute(attribute:"cpe", value:"cpe:/a:microsoft:exchange_server:2016");
  script_set_attribute(attribute:"cpe", value:"cpe:/a:microsoft:exchange_server:2019");
  script_set_attribute(attribute:"stig_severity", value:"I");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_family(english:"Windows : Microsoft Bulletins");

  script_copyright(english:"This script is Copyright (C) 2024 and is owned by Tenable, Inc. or an Affiliate thereof.");

  script_dependencies("ms_bulletin_checks_possible.nasl", "microsoft_exchange_installed.nbin");
  script_require_keys("SMB/MS_Bulletin_Checks/Possible");
  script_require_ports(139, 445, "Host/patch_management_checks");

  exit(0);
}

include('vcf.inc');
include('vcf_extras_microsoft.inc');

get_kb_item_or_exit("SMB/Registry/Enumerated");

var app_info = vcf::microsoft::exchange::get_app_info();
var value;
var hklm;
var epa = "SOFTWARE\Microsoft\ExchangeServer\v15\RPC\VirtualDirectories\Server\Authentication\ExtendedProtection";

# No patch available for Exchange Server 2016 - rememdiation is only accomplished by enabling EPA
if (app_info['RELEASE'] == '151')
  {
    registry_init();
    hklm = registry_hive_connect(hive:HKEY_LOCAL_MACHINE, exit_on_fail:TRUE);
    value = get_registry_value(handle:hklm, item:epa);
      dbg::detailed_log(lvl:1, msg:"Registry value found: " + value);
    if (!empty_or_null(value))
    {
      if (value == 1)
        audit(AUDIT_INST_VER_NOT_VULN, 'Exchange Server 2016 with EPA enabled');
    }
    RegCloseKey(handle:hklm);
    close_registry();
  }

var constraints = [
  { 'fixed_version' : '15.2.1544.4', 'product' : '2019', 'cu' : 13, 'unsupported_cu' : 12, 'kb' : '5035606' },
  { 'fixed_version' : '15.2.1544.4', 'product' : '2019', 'cu' : 14, 'unsupported_cu' : 12, 'kb' : '5035606' },
  { 'fixed_display' : 'See vendor advisory', 'fixed_version' : '15.1.9999.9', 'product' : '2016', 'cu' : 23, 'unsupported_cu' : 22 }
];

vcf::microsoft::exchange::check_version_and_report(
  app_info:app_info,
  bulletin:'MS24-02',
  constraints:constraints,
  severity:SECURITY_HOLE
);