CVE-2024-38200| Windows | LPE
| Vulnerability | CVE-2024-38200 |
|---|---|
| Description | CVE-2024-38200 is a spoofing vulnerability in Microsoft Office that allows attackers to capture NTLMv2 hashes by exploiting Office URI schemes. This flaw enables malicious actors to craft links that, when accessed, can lead to unauthorized disclosure of sensitive authentication information. (nvd.nist.gov) |
| Affected Systems | Microsoft Office versions, including Office 2019 and Microsoft 365, are susceptible to this vulnerability. (github.com) |
| Attack Vector | Remote: Attackers can deliver malicious links via phishing emails or compromised websites. When a user clicks on such a link, it triggers the Office application to access a remote file, leading to the capture of NTLMv2 hashes without user prompts or warnings. |
| Exploitation Techniques | - Abuse of Office URI Schemes: Attackers craft a malicious link using the `ms-word:ofe |
| The Impact of the Bug | - Unauthorized disclosure of NTLMv2 hashes, potentially leading to credential theft. - Increased risk of NTLM relay attacks, which can compromise critical systems or services. - Potential lateral movement and privilege escalation in enterprise environments, threatening data confidentiality, integrity, and availability. |
| How to Detect Infections | - Network Traffic Monitoring: Look for unusual outbound traffic from Office applications to external servers, especially over HTTP or SMB. - Authentication Anomalies: Monitor authentication logs for repeated or unexpected NTLM authentication attempts to external IP addresses. - Honeypots: Deploy NTLM traps to detect unauthorized attempts to capture NTLM hashes within the network. |
| Mitigation Steps | - Apply security patches provided by Microsoft addressing CVE-2024-38200. - Educate users about the risks of clicking on unsolicited links or opening documents from untrusted sources. - Configure network security controls to block unauthorized outbound SMB traffic and restrict NTLM authentication to trusted systems only. - Use Group Policy settings to disable NTLM authentication where feasible and enforce Kerberos authentication. |
| Workarounds | - Disable automatic URL handling in Office applications to prevent automatic access to remote resources. - Implement network-level protections to intercept and block malicious Office URI schemes. - Use host-based firewalls or EDR solutions to block unauthorized Office application behaviors. |
| References | - Microsoft Security Response Center - CVE-2024-38200 - GitHub Repository - CVE-2024-38200 |