Replace with additional info from Microsoft.
Microsoft has disclosed a high-severity vulnerability affecting Workplace 2016 that might expose NTLM hashes to a distant attacker.
Tracked as CVE-2024-38200, this security flaw is brought on by an info disclosure weak point that allows unauthorized actors to entry protected info.
The zero-day impacts a number of 32-bit and 64-bit Workplace variations, together with Workplace 2016, Workplace 2019, Workplace LTSC 2021, and Microsoft 365 Apps for Enterprise.
Regardless that Microsoft’s exploitability evaluation says that exploitation of CVE-2024-38200 is much less possible, MITRE has tagged the chance of exploitation for this sort of weak point as extremely possible.
“In a web-based assault state of affairs, an attacker might host an internet site (or leverage a compromised web site that accepts or hosts user-provided content material) that accommodates a specifically crafted file that’s designed to use the vulnerability,” Microosoft’s advisory explains.
“Nonetheless, an attacker would don’t have any solution to drive the person to go to the web site. As a substitute, an attacker must persuade the person to click on a hyperlink, usually by the use of an enticement in an electronic mail or Instantaneous Messenger message, after which persuade the person to open the specifically crafted file.”
The corporate is creating security updates to deal with this zero-day bug however has but to announce a launch date.
Since publishing this text, Microsoft shared additional details about the CVE-2024-38200 flaw within the advisory, stating that they launched a repair by means of Function Flighting on 7/30/2024
“No, we recognized an alternate repair to this subject that we enabled through Function Flighting on 7/30/2024,” reads the up to date CVE-2024-38200 advisory.
“Clients are already protected on all in-support variations of Microsoft Workplace and Microsoft 365. Clients ought to nonetheless replace to the August 13, 2024 updates for the ultimate model of the repair.”
The advisory additional states that this flaw may be mitigated by blocking outbound NTLM visitors to distant servers.
Microsoft says you’ll be able to block outbound NTLM visitors utilizing the next three strategies:
Microsoft notes using any of those mitigations might stop professional entry to distant servers that depend on NTLM authentication.
Whereas Microsoft did not share any additional particulars in regards to the vulnerability, this steering signifies the flaw can be utilized to drive an outbound NTLM connection, resembling to an SMB share on an attacker’s server.
When this occurs, Home windows sends the person’s NTLM hashes, together with their hashed password, which the attacker can then steal.
As demonstrated repeatedly prior to now, these hashes may be cracked, permitting risk actors to realize entry to login names and plaintext passwords.
NTLM hashes can be utilized in NTLM Relay Attacks, as beforehand seen with the ShadowCoerce, DFSCoerce, PetitPotam, and RemotePotato0 assaults, to realize entry to different sources on a community.
Extra particulars to be shared at Defcon
Microsoft attributed the invention of the issues to PrivSec Consulting security advisor Jim Rush and Synack Pink Staff member Metin Yunus Kandemir.
PrivSec’s Managing Director Peter Jakowetz instructed BleepingComputer that Rush will disclose extra details about this vulnerability in his upcoming “NTLM – The final journey” Defcon speak.
“There will likely be a deep dive on a number of new bugs we disclosed to Microsoft (together with bypassing a repair to an current CVE), some fascinating and helpful methods, combining methods from a number of bug courses leading to some sudden discoveries and a few completely cooked bugs,” Rush explains.
“We’ll additionally uncover some defaults that merely should not exist in smart libraries or purposes in addition to some obtrusive gaps in a number of the Microsoft NTLM associated security controls.”
A Synack spokesperson was not instantly out there for remark when contacted by BleepingComputer earlier as we speak for extra particulars relating to the CVE-2024-38200 vulnerability.
Microsoft can also be engaged on patching zero-day flaws that might be exploited to “unpatch” up-to-date Home windows techniques and reintroduce outdated vulnerabilities.
The corporate additionally mentioned earlier this week that it is contemplating patching a Home windows Good App Management, SmartScreen bypass exploited since 2018.
Replace 8/10/24: Added extra info from Microsoft about mitigating the flaw.
