A proof-of-concept (PoC) exploit for a significant zero-day vulnerability in Microsoft Office, tracked as CVE-2024-38200, has been publicly released. This vulnerability affects several Microsoft Office versions, including Office 2016, Office 2019, Office LTSC 2021, and Microsoft 365 Apps for Enterprise. It poses a serious risk by enabling attackers to capture sensitive NTLMv2 authentication hashes, which can lead to further network intrusions and privilege escalation attacks.
How the Vulnerability is Exploited
CVE-2024-38200 is an information disclosure flaw that can be exploited remotely. An attacker can trigger the vulnerability by convincing a victim to open a specially crafted document. This file can be hosted on a malicious or compromised website and sent through phishing emails or instant messages. Once the victim opens the file, the attacker can capture NTLMv2 hashes over protocols like HTTP or SMB, which can be leveraged in NTLM relay attacks to access network resources, escalate privileges, or gain control of critical systems such as Domain Controllers.
The PoC exploit demonstrates how to manipulate Office’s URI schemes to redirect HTTP requests to an attacker-controlled server, capturing these authentication hashes. The exploit is particularly effective because Microsoft 365 Office and Office 2019 lack the security warnings present in Office 2016, making it easier for attackers to exploit without the victim's knowledge.
Risks
Once attackers have obtained the NTLMv2 hashes, they can:
Perform pass-the-hash attacks to access other systems.
Conduct NTLM relay attacks to escalate privileges or access sensitive resources.
Crack the hash offline to retrieve the actual password, enabling further intrusions.
Move laterally across networks by reusing the captured credentials.
Remediation and Mitigation
Although Microsoft is actively working on a comprehensive fix, some mitigation steps are available in the interim:
Feature Flighting: Microsoft has deployed an alternative fix via Feature Flighting as of July 30, 2024, which protects customers using in-support Office versions.
August 13th 2024 Patch Tuesday: Contains the final fix for this vulnerability.
Network Security Settings: Configure the group policy to restrict outgoing NTLM traffic to remote servers, which helps block NTLM authentication attempts.
Protected Users Group: Adding high-value accounts (like Domain Admins) to the Protected Users Security Group prevents NTLM usage for these accounts.
Block TCP Port 445: Blocking outbound traffic to TCP port 445Â using firewalls will prevent SMB-based NTLM relay attacks.
By implementing these mitigations, organizations can reduce the risk of exploitation until the final patch is applied. Additionally, Microsoft advises regularly applying security updates and monitoring for any suspicious outbound NTLM traffic.
For more details, see the official Microsoft security advisory and related sources. Stay vigilant to ensure your Office environment is secure against this evolving threat.
Comentarios