Unpatched MS Office flaw may leak NTLM hashes to attackers (CVE-2024-38200)
A new MS Office zero-day vulnerability (CVE-2024-38200) can be exploited by attackers to grab users’ NTLM hashes, Microsoft has shared late last week.
The vulnerability is exploitable remotely and requires no special privileges or user interaction to be triggered.
“In a web-based attack scenario, an attacker could host a website (or leverage a compromised website that accepts or hosts user-provided content) that contains a specially crafted file that is designed to exploit the vulnerability,” the company said.
“However, an attacker would have no way to force the user to visit the website. Instead, an attacker would have to convince the user to click a link, typically by way of an enticement in an email or Instant Messenger message, and then convince the user to open the specially crafted file.”
About CVE-2024-38200
Privately reported to Microsoft by cybersecurity researchers Jim Rush of PrivSec Consulting and Metin Yunus Kandemir with Synack’s Red Team, CVE-2024-38200 is categorized as a spoofing vulnerability.
Once attackers get a victim’s NTLM hash, they can relay it another service and authenticate as the victim (i.e., perform an authentication relay attack).
Microsoft went public with the flaw despite not having a definitive fix ready yet because Rush and colleague Tomais Williamson were scheduled to talk about it at DEF CON on Saturday.
Fixes and mitigations
CVE-2024-38200 affects the 64-bit and 32-bit editions of:
- Microsoft Office 2016
- Microsoft Office 2019
- Microsoft Office LTSC 2021, and
- Microsoft 365 Apps for Enterprise
Final fixes for those will be ready tomorrow, on August 2024 Patch Tuesday.
But users aren’t vulnerable to exploitation because Microsoft has implemented an alternative fix via Feature Flighting on July 30, 2024. (Feature Flighting is a process for rolling out specific product features in a controlled way, via feature flags.)
“Customers are already protected on all in-support versions of Microsoft Office and Microsoft 365,” Microsoft said, but urged them to “still update to the August 13, 2024 updates for the final version of the fix.”
The company has also outlined several mitigating factors, which include: restricting outgoing NTLM traffic to remote servers, adding users to the Protected Users Security Group, and blocking outbound traffic from port TCP 445.
NTLM if officially deprecated
NT LAN Manager (NTLM) is an old suite of security protocols for user authentication provided by Microsoft, but it has been officially deprecated in favor of Kerberos.
“Use of NTLM will continue to work in the next release of Windows Server and the next annual release of Windows. Calls to NTLM should be replaced by calls to Negotiate, which will try to authenticate with Kerberos and only fall back to NTLM when necessary,” Microsoft explained.
The company regularly fixes vulnerabilities that allow attackers to steal or relay NTLM hashes.