Microsoft has warned of a vulnerability affecting various versions of Office that could expose NTLM hashes to a remote attacker.
The issue has been given the identifier CVE-2024-38200 and is described as an information disclosure vulnerability that allows unauthorized parties to gain access to protected data. The bug reportedly affects several 32- and 64-bit versions of Office, including Office 2016, Office 2019, Office LTSC 2021 and Microsoft 365 Apps for Enterprise.
While Microsoft considers exploitation of CVE-2024-38200 to be unlikely, MITRE assesses the issue differently and warns that the likelihood of exploitation of these types of vulnerabilities is usually high.
What is NTLM authentication?
NTLM is an authentication protocol used to verify that a user is who they say they are. This is verified using your credentials, of course. When a PC within Active Directory decides to access another computer, the credentials are first sent to the domain controller using the NTLM protocol and then access is either denied or granted.
“In the case of a web-based attack, an attacker could create a website (or use a compromised site that accepts and hosts user-submitted content) that contains a specially crafted file designed to exploit the vulnerability,” Microsoft reports. - The attacker would then have to convince the user to click on the link (usually through an email or messenger message) and then convince the user to open the specially crafted file.”
Microsoft representatives said that the company is already developing patches to address the bug, but no release date has been given yet. However, a temporary fix released as part of Feature Flighting 7/30/2024 is available to users.
“Users of all supported versions of Microsoft Office and Microsoft 365 are already protected. Users should upgrade to the August 13, 2024 update to receive the fix,” the developers report.
The company also notes that you can protect against CVE-2024-38200 by blocking outbound NTLM traffic on remote servers, although this may prevent legitimate access to remote servers that use NTLM authentication.
While Microsoft has not yet disclosed any additional details about the vulnerability, a bulletin published by the company indicates that the issue could be exploited to force an NTLM connection to, for example, an SMB share on an attacker's server. In such cases, Windows passes the user's NTLM hashes, including a hashed password that attackers can steal.
Comments