Unpatched Microsoft Office Flaw Could Expose NTLM Hashes

August 9, 2024

Microsoft has reported a high-risk vulnerability in Office 2016 that could potentially expose NTLM hashes to a remote attacker. This security flaw, identified as CVE-2024-38200, results from an information disclosure weakness that permits unauthorized entities to access protected data. The zero-day vulnerability affects numerous 32-bit and 64-bit Office versions, including Office 2016, Office 2019, Office LTSC 2021, and Microsoft 365 Apps for Enterprise.

Despite Microsoft's exploitability evaluation suggesting that exploitation of CVE-2024-38200 is less likely, MITRE has classified the probability of exploitation for this type of vulnerability as highly probable. In a web-based attack scenario, a threat actor could host a website containing a specially crafted file designed to exploit the vulnerability. However, the attacker would have no way to force a user to visit the website. Instead, they would have to persuade the user to click a link, typically through a lure in an email or Instant Messenger message, and then convince the user to open the specially crafted file.

Microsoft is in the process of developing security patches to address this zero-day bug, but has not yet announced a release date. Following the publication of this article, Microsoft provided additional information about the CVE-2024-38200 flaw, stating that they released a fix through Feature Flighting on 7/30/2024. In the updated CVE-2024-38200 advisory, it reads, 'No, we identified an alternative fix to this issue that we enabled via Feature Flighting on 7/30/2024. Customers are already protected on all in-support versions of Microsoft Office and Microsoft 365. Customers should still update to the August 13, 2024 updates for the final version of the fix.'

The advisory also suggests that this flaw can be mitigated by blocking outbound NTLM traffic to remote servers. Microsoft provides three methods to block outbound NTLM traffic, but warns that using any of these mitigations could prevent legitimate access to remote servers that rely on NTLM authentication. This guidance indicates that the flaw could be used to force an outbound NTLM connection, such as to an SMB share on an attacker's server. When this occurs, Windows sends the user's NTLM hashes, including their hashed password, which the attacker can then steal. These hashes can be cracked, allowing threat actors to gain access to login names and plaintext passwords. NTLM hashes can also be used in NTLM Relay Attacks to gain access to other resources on a network.

The discovery of these flaws is attributed to security consultant Jim Rush from PrivSec Consulting and Metin Yunus Kandemir from the Synack Red Team. Rush will disclose more information about this vulnerability in his upcoming 'NTLM - The last ride' Defcon talk. A representative from Synack was not immediately available for comment regarding the CVE-2024-38200 vulnerability. In addition to this, Microsoft is also working on patching zero-day flaws that could be exploited to 'unpatch' up-to-date Windows systems and reintroduce old vulnerabilities. The company also stated earlier this week that it's considering patching a Windows Smart App Control, SmartScreen bypass exploited since 2018.

Related News

Latest News

Like what you see?

Get a digest of headlines, vulnerabilities, risk context, and more delivered to your inbox.

Subscribe Below

By submitting this form, you’re giving us permission to email you. You may unsubscribe at any time.

Accelerate Security Teams

Continuously identify and prioritize the risks that are most critical in your environment, and validate that your remediation efforts are reducing risk. An always-on single source-of-truth of your assets, services, and vulnerabilities.