Forum Discussion
THE_BLUE
Cirrostratus
CirrostratusCVE-2024-21410
does F5 has mitigation for CVE-2024-21410 ? based on microsoft document we must disble ssl offloding with load balancer , as below SSL Offloading scenarios Extended Protection isn't supported in...
Daniel_Wolf
MVP
MVPGood to know, Juergen. Looking at the linked Microsoft article it says:
"Extended Protection is supported in environments that use SSL Bridging under certain conditions. To enable Extended Protection in your Exchange environment using SSL Bridging, you must use the same SSL certificate on Exchange and your Load Balancers. Using different certificates cause Extended Protection Channel Binding Token check to fail and as a result, prevent clients from connecting to the Exchange server."
That seems feasible, to have the same cert on both ends. That should at least do for satisfying the requirements for the Channel Binding Token to work.
Do you have any insights why it is not supported? Cannot find the RFE here: https://my.f5.com/manage/s/bug-tracker.
Neither by ID 758880 nor by searching for the term "extended protection".
Thx in advance.
Juergen_MangMVP
MVPI have tried using the same certificate on both ends and it has not worked. I opened a ticket and the support gave me the mentioned bug id and RFE. It seems these are only F5 internally accessible.
I had unfortunately no time to debug into this issue further. My customer decided to move forward to modern authentication, disabling NTLM completely and do not invest time and money in legacy authentication mechanisms.
Unfortunately I have no access to Exchange LAB environment. Digging into this issue deeper would be very interesting!
Edit:
This is interesting: https://www.synacktiv.com/en/publications/dissecting-ntlm-epa-with-love-building-a-mitm-proxy.html
With enough time it should be feasible with an iRule.