Microsoft NTLM Zero-Day Vulnerability Unresolved Until April

December 9, 2024

A second zero-day vulnerability has been discovered in Windows NTLM, following the one found two months prior, creating a path for potential relay attacks and credential theft. Microsoft has not yet issued a patch but has provided updated guidance on how to mitigate NTLM relay attacks. The revelation comes shortly after researchers reported an NTLM hash disclosure zero-day in all versions of Windows Workstation and Server, ranging from Windows 7 to the latest Windows 11. However, it remains unclear whether these two developments are related or purely coincidental.

The bug, which currently lacks a CVE or CVSS score, is not expected to be patched for several months. Security researchers from ACROS Security discovered the zero-day bug in all supported Windows versions. This flaw allows an attacker to steal a user's NTLM credentials simply by enticing the user to view a malicious file through the Windows Explorer file management utility.

According to Mitja Kolsek, CEO of ACROS Security, 'Opening a shared folder or USB disk with such file or viewing the Downloads folder where such file was previously automatically downloaded from attacker's Web page' is sufficient for a credential compromise. ACROS has decided not to release any further information about the bug until Microsoft develops a fix.

Kolsek further explained that an attacker's ability to exploit the bug depends on various factors and it's challenging to identify where the issue is exploitable without actually trying to exploit it. Microsoft has classified the vulnerability as being of 'Important' severity, which is one level lower than 'Critical' severity bugs. A fix is planned for release in April, according to Kolsek.

A Microsoft representative confirmed that the company is 'aware of the report and will take action as needed to help keep customers protected.' This is the second NTLM credential leak zero-day that ACROS has reported to Microsoft since October. The previous one involved a Windows Themes spoofing issue and provided attackers a means to trick victim devices into sending NTLM authentication hashes to attacker-controlled devices. Microsoft has not yet issued a patch for that bug either.

The Windows NTLM (NT LAN Manager) is a legacy authentication protocol included in modern Windows for backward compatibility. Attackers have regularly exploited weaknesses in the protocol to intercept authentication requests and relay them to access other servers or services the original users have access to. Microsoft, in its advisory, described NTLM-relaying as a 'popular attack method used by threat actors that allows for identity compromise.'

The advisory also highlighted vulnerabilities that attackers have previously exploited, such as CVE-2023-23397 in Outlook and CVE-2021-36942 in Windows LSA, to attack services that lack protections against NTLM-relaying attacks. In response, Microsoft has updated its guidance on enabling Extended Protection for Authentication (EPA) by default on LDAP, AD CS, and Exchange Server.

The latest Windows Server 2025 comes with EPA enabled by default for both AD CS and LDAP. Microsoft stressed the importance of enabling EPA specifically for Exchange Server due to its 'unique role that Exchange Server plays in the NTLM threat landscape.' The company cited CVE-2024-21413, CVE-2023-23397, and CVE-2023-36563 as examples of recent vulnerabilities that attackers have exploited for NTLM coercion purposes.

'Office documents and emails sent through Outlook serve as effective entry points for attackers to exploit NTLM coercion vulnerabilities, given their ability to embed UNC links within them,' the company stated. Kolsek advised that it's uncertain if Microsoft's NTLM attack mitigation recommendations are related to his recent bug disclosure. However, he urged to adhere to Microsoft's advice on mitigating NTLM-related vulnerabilities, or consider using 0patch, a free micropatching service his company offers for vulnerabilities, particularly in older and unsupported software products.

Related News

• Poland Accuses Russian Military Hackers of Targeting Its Government Networks
• NATO and EU Condemn APT28's Cyber Espionage Operations
• Russian Hackers Launch Widespread Cyberattacks Targeting Global Intelligence
• APT28 Cyber Threat Group Expands Phishing Campaigns Globally
• APT28 Uses Compromised Ubiquiti EdgeRouters in Global Cyber Operations

Latest News

• Earth Minotaur Threat Group Targets Uyghurs and Tibetans with MOONSHINE Exploit and DarkNimbus Backdoor
• Mitel MiCollab Collaboration Platform Faces Unresolved Zero-Day Vulnerability
• Japan's CERT Issues Warning on Zero-Day Vulnerabilities in IO-Data Routers
• Veeam Addresses Critical Remote Code Execution Vulnerability in Service Provider Console
• The 'White FAANG' Data Export Attack: Unveiling PII Threats