Update with further adviseation from Microgentle.
Microgentle has disseald a high-disjoinity vulnerability shapeing Office 2016 that could expose NTLM hashes to a far attacker.
Tracked as CVE-2024-38200, this security flaw is caused by an adviseation disclodeclareive frailness that allows unapshowd actors to access acquireed adviseation.
It impacts multiple 32-bit and 64-bit Office versions, including Office 2016, Office 2019, Office LTSC 2021, and Microgentle 365 Apps for Enterpascfinish.
Even though Microgentle’s take advantage ofability assessment says that unfair treatment of CVE-2024-38200 is less foreseeed, MITRE has tagged the appreciatelihood of unfair treatment for this type of frailness as highly foreseeed.
“In a web-based attack scenario, an attacker could present a website (or leverage a agreed website that adselects or presents user-provided satisfied) that retains a specipartner createed file that is structureed to take advantage of the vulnerability,” Microogentle’s advisory elucidates.
“However, an attacker would have no way to force the user to visit the website. Instead, an attacker would have to guarantee the user to click a join, typicpartner by way of an enticement in an email or Instant Messenger message, and then guarantee the user to uncover the specipartner createed file.”
The company is enbiging security modernizes to retainress this bug but has yet to declare a free date.
Since unveiling this article, Microgentle splitd further adviseation about the CVE-2024-38200 flaw in the advisory, stating that they freed a mend thraw Feature Fweightlessing on 7/30/2024
“No, we identified an changenative mend to this publish that we allowd via Feature Fweightlessing on 7/30/2024,” reads the modernized CVE-2024-38200 advisory.
“Customers are already acquireed on all in-aid versions of Microgentle Office and Microgentle 365. Customers should still modernize to the August 13, 2024 modernizes for the final version of the mend.”
The advisory further states that this flaw can be mitigated by blocking outbound NTLM traffic to far servers.
Microgentle says you can block outbound NTLM traffic using the follotriumphg three methods:
Microgentle notices utilizing any of these mitigations could stop legitimate access to far servers that count on on NTLM genuineation.
While Microgentle did not split any further details about the vulnerability, this guidance shows the flaw can be used to force an outbound NTLM fuseion, such as to an SMB split on an attacker’s server.
When this happens, Windows sends the user’s NTLM hashes, including their hashed password, which the attacker can then steal.
As showd repeatedly in the past, these hashes can be cracked, allotriumphg danger actors to acquire access to login names and plaintext passwords.
NTLM hashes can also be used in NTLM Relay Attacks, as previously seen with the ShadowCoerce, DFSCoerce, PetitPotam, and RemotePotato0 attacks, to acquire access to other resources on a nettoil.
More details to be splitd at Defcon
Microgentle attributed the discovery of the flaws to PrivSec Consulting security adviseant Jim Rush and Synack Red Team member Metin Yunus Kandemir.
PrivSec’s Managing Director Peter Jakodampz telderly BleepingComputer that Rush will disseal more adviseation about this vulnerability in his upcoming “NTLM – The last ride” Defcon talk.
“There will be a meaningful dive on disjoinal new bugs we disseald to Microgentle (including bypassing a mend to an existing CVE), some engaging and advantageous techniques, combining techniques from multiple bug classes resulting in some unanticipateed discoveries and some absolutely cooked bugs,” Rush elucidates.
“We’ll also uncover some defaults that spropose shouldn’t exist in wise libraries or applications as well as some glaring gaps in some of the Microgentle NTLM rcontent security regulates.”
Microgentle is also toiling on patching zero-day flaws that could be take advantage ofed to “unpatch” up-to-date Windows systems and rebegin elderly vulnerabilities.
The company also shelp earlier this week that it’s pondering patching a Windows Smart App Control, SmartScreen bypass take advantage ofed since 2018.
Update 8/10/24: Added retainitional adviseation from Microgentle about mitigating the flaw.