Home Tech Microsoft discloses unpatched Workplace flaw that exposes NTLM hashes

Microsoft discloses unpatched Workplace flaw that exposes NTLM hashes

30
0
Microsoft discloses unpatched Workplace flaw that exposes NTLM hashes

Microsoft Workplace

Update with extra recordsdata from Microsoft.

Microsoft has disclosed a excessive-severity vulnerability affecting Workplace 2016 that could account for NTLM hashes to a a lot off attacker.

Tracked as CVE-2024-38200, this security flaw is precipitated by an recordsdata disclosure weak spot that permits unauthorized actors to procure entry to protected recordsdata.

It impacts a couple of 32-bit and 64-bit Workplace versions, together with Workplace 2016, Workplace 2019, Workplace LTSC 2021, and Microsoft 365 Apps for Challenge.

Even supposing Microsoft’s exploitability review says that exploitation of CVE-2024-38200 is less seemingly, MITRE has tagged the possibility of exploitation for this scheme of weak spot as highly probable.

“In an online-based assault scenario, an attacker could host an online location (or leverage a compromised net location that accepts or hosts user-offered deliver material) that gains a specially crafted file that is designed to exploit the vulnerability,” Microosoft’s advisory explains.

“Nonetheless, an attacker would attach no longer comprise any manner to power the user to talk over with the get dangle of location. Instead, an attacker would must convince the user to click on a link, normally by manner of an enticement in an email or Rapid Messenger message, after which convince the user to birth out the specially crafted file.”

The company is constructing security updates to address this malicious program nonetheless has but to inform a unencumber date.

Since publishing this article, Microsoft shared extra recordsdata relating to the CVE-2024-38200 flaw in the advisory, stating that they launched a repair by means of Characteristic Flighting on 7/30/2024

“No, we identified an different repair to this field that we enabled via Characteristic Flighting on 7/30/2024,” reads the as a lot as date CVE-2024-38200 advisory.

“Clients are already protected on all in-make stronger versions of Microsoft Workplace and Microsoft 365. Clients can comprise to aloof change to the August 13, 2024 updates for the final model of the repair.”

The advisory extra states that this flaw could additionally be mitigated by blocking outbound NTLM web page online web page online visitors to distant servers.

Microsoft says it’s essential to block outbound NTLM web page online web page online visitors the usage of the next three solutions:

Microsoft notes utilizing any of these mitigations could prevent first rate procure entry to to distant servers that count on NTLM authentication.

While Microsoft did no longer fragment any more crucial facets relating to the vulnerability, this guidance signifies the flaw could additionally be inclined to power an outbound NTLM connection, reminiscent of to an SMB fragment on an attacker’s server.

When this occurs, House windows sends the user’s NTLM hashes, together with their hashed password, which the attacker can then grab.

As demonstrated continuously prior to now, these hashes could additionally be cracked, allowing threat actors to earn procure entry to to login names and plaintext passwords.

NTLM hashes can additionally be inclined in NTLM Relay Attacks, as beforehand viewed with the ShadowCoerceDFSCoercePetitPotam, and RemotePotato0 assaults, to earn procure entry to to other sources on a network.
Extra crucial facets to be shared at Defcon
Microsoft attributed the discovery of the flaws to PrivSec Consulting security handbook Jim Bustle and Synack Purple Group member Metin Yunus Kandemir.

PrivSec’s Managing Director Peter Jakowetz told BleepingComputer that Bustle will characterize more recordsdata about this vulnerability in his upcoming “NTLM – The final hotfoot” Defcon talk.

“There’ll be a deep dive on a number of unusual bugs we disclosed to Microsoft (together with bypassing a repair to an present CVE), some appealing and purposeful tactics, combining tactics from a couple of malicious program lessons ensuing in some unexpected discoveries and some utterly cooked bugs,” Bustle explains.

“We are going to additionally say some defaults that merely mustn’t exist in excellent libraries or capabilities moreover to a few of evident gaps in a couple of of the Microsoft NTLM related security controls.”

Microsoft is additionally working on patching zero-day flaws that will be exploited to “unpatch” up-to-date House windows methods and reintroduce inclined vulnerabilities.

The company additionally said earlier this week that it be alive to in patching a House windows Natty App Preserve a watch on, SmartScreen bypass exploited since 2018.

Update 8/10/24: Added additional recordsdata from Microsoft about mitigating the flaw.

 » …
Read More

LEAVE A REPLY

Please enter your comment!
Please enter your name here