Update with further information from Microsoft.
Microsoft has disclosed a high-severity vulnerability affecting Office 2016 that could expose NTLM hashes to a remote attacker.
Tracked as CVE-2024-38200, this security flaw is caused by an information disclosure weakness that enables unauthorized actors to access protected information.
It impacts multiple 32-bit and 64-bit Office versions, including Office 2016, Office 2019, Office LTSC 2021, and Microsoft 365 Apps for Enterprise.
Even though Microsoft’s exploitability assessment says that exploitation of CVE-2024-38200 is less likely, MITRE has tagged the likelihood of exploitation for this type of weakness as highly probable.
“In a web-based attack scenario, an attacker could host a website (or leverage a compromised website that accepts or hosts user-provided content) that contains a specially crafted file that is designed to exploit the vulnerability,” Microosoft’s advisory explains.
“However, an attacker would have no way to force the user to visit the website. Instead, an attacker would have to convince the user to click a link, typically by way of an enticement in an email or Instant Messenger message, and then convince the user to open the specially crafted file.”
The company is developing security updates to address this bug but has yet to announce a release date.
Since publishing this article, Microsoft shared further information about the CVE-2024-38200 flaw in the advisory, stating that they released a fix through Feature Flighting on 7/30/2024
“No, we identified an alternative fix to this issue that we enabled via Feature Flighting on 7/30/2024,” reads the updated CVE-2024-38200 advisory.
“Customers are already protected on all in-support versions of Microsoft Office and Microsoft 365. Customers should still update to the August 13, 2024 updates for the final version of the fix.”
The advisory further states that this flaw can be mitigated by blocking outbound NTLM traffic to remote servers.
Microsoft says you can block outbound NTLM traffic using the following three methods:
- Configuring the Network Security: Restrict NTLM: Outgoing NTLM traffic to remote servers group policy to allow, block, or audit outgoing NTLM traffic from a computer running Windows 7, Windows Server 2008, or later to any remote server running the Windows operating system. In this case, you would want to use the policy to block NTLM traffic.
- Adding users to the Protected Users Security Group, which restricts the use of NTLM as an authentication mechanism
- Blocking all outbound traffic to TCP port 445.
Microsoft notes utilizing any of these mitigations could prevent legitimate access to remote servers that rely on NTLM authentication.
While Microsoft did not share any further details about the vulnerability, this guidance indicates the flaw can be used to force an outbound NTLM connection, such as to an SMB share on an attacker’s server.
When this happens, Windows sends the user’s NTLM hashes, including their hashed password, which the attacker can then steal.
As demonstrated repeatedly in the past, these hashes can be cracked, allowing threat actors to gain access to login names and plaintext passwords.
NTLM hashes can also be used in NTLM Relay Attacks, as previously seen with the ShadowCoerce, DFSCoerce, PetitPotam, and RemotePotato0 attacks, to gain access to other resources on a network.
More details to be shared at Defcon
Microsoft attributed the discovery of the flaws to PrivSec Consulting security consultant Jim Rush and Synack Red Team member Metin Yunus Kandemir.
PrivSec’s Managing Director Peter Jakowetz told BleepingComputer that Rush will disclose more information about this vulnerability in his upcoming “NTLM – The last ride” Defcon talk.
“There will be a deep dive on several new bugs we disclosed to Microsoft (including bypassing a fix to an existing CVE), some interesting and useful techniques, combining techniques from multiple bug classes resulting in some unexpected discoveries and some absolutely cooked bugs,” Rush explains.
“We’ll also uncover some defaults that simply shouldn’t exist in sensible libraries or applications as well as some glaring gaps in some of the Microsoft NTLM related security controls.”
Microsoft is also working on patching zero-day flaws that could be exploited to “unpatch” up-to-date Windows systems and reintroduce old vulnerabilities.
The company also said earlier this week that it’s considering patching a Windows Smart App Control, SmartScreen bypass exploited since 2018.
