May require mitigation prior to the official patch expected in August Patch Tuesday update
Overview
A critical security flaw, identified as CVE-2024-38200, has been discovered in several versions of Microsoft Office, including Office 2016, 2019, 2021, and Microsoft 365 Apps for Enterprise, affecting millions of users worldwide.
This vulnerability, classified as a zero-day, allows unauthorized access to sensitive information, such as NTLM hashes, which could potentially compromise entire networks.
While Microsoft has implemented temporary mitigations, a permanent fix is scheduled for release on August 13th.
Analysis
The Microsoft Office zero day vulnerability stems from an information disclosure weakness that could allow attackers to gain unauthorized access to sensitive data, such as NTLM hashes. If successfully exploited, this flaw could enable attackers to compromise entire networks, potentially leading to unauthorized access to corporate systems, data breaches, and widespread disruption.
CVE-2024-38200 is exploited through a multi-step process that primarily relies on social engineering and a web-based attack scenario. The attacker creates a specially crafted file that takes advantage of the information disclosure vulnerability in Microsoft Office. This file is designed to trigger the vulnerability when opened in an affected version of Microsoft Office. Since the attacker cannot directly force the victim to open the malicious file, they must employ social engineering tactics. This usually involves sending the file to the target via email, instant messaging, or any other communication platform, often disguised as a legitimate or enticing document e.g., an invoice, a business proposal, or another document relevant to the target. In some cases, the attacker may host the malicious file on a compromised or malicious website. The attacker then lures the victim to visit this site, possibly through a phishing email that contains a link to the file.
When the victim opens the malicious file in Microsoft Office, the vulnerability is triggered. This process involves the Office application handling the file in a way that unintentionally exposes sensitive information, such as NTLM (NT LAN Manager) hashes, to the attacker. The exposed NTLM hashes can be captured by the attacker, typically by directing the Office application to send these hashes to a remote server controlled by the attacker. NTLM hashes are used in Windows environments for authentication, and once obtained, they can be used to impersonate the user or perform further attacks. With the NTLM hashes in hand, the attacker can perform several additional actions:
Pass-the-Hash Attack: The attacker can use the NTLM hash to authenticate as the user without knowing their actual password, gaining unauthorized access to network resources.
Lateral Movement: The attacker may use the hash to move laterally within the network, compromising other systems and potentially escalating their privileges.
Data Exfiltration: Sensitive information from compromised systems can be extracted.
Network Takeover: In a worst-case scenario, the attacker could gain control over key network resources, leading to a full network compromise.
The attacker may also employ techniques to maintain persistence within the network, such as creating backdoors or installing malware, while attempting to evade detection by security systems.
At time of writing there were no reports of exploitation in the wild. Microsoft has categorised this vulnerability as “Exploitation Less Likely”.
Historically, vulnerabilities like CVE-2024-38200 have been exploited by a range of advanced persistent threat (APT) groups and cybercriminals. Such groups often leverage zero-day vulnerabilities to execute highly targeted attacks against specific organizations or industries. Previous incidents suggest that threat actors could use this vulnerability to deploy malware designed to exfiltrate sensitive data, escalate privileges, or establish a persistent presence within a compromised network.
Notable examples of malware that could potentially exploit this type of vulnerability include credential-stealing tools like Mimikatz, which harvest NTLM hashes, and ransomware variants that use NTLM hashes for lateral movement across networks. Threat actors known for exploiting similar vulnerabilities include groups like APT29 (Cozy Bear) and APT28 (Fancy Bear), which have a history of targeting government, military, and financial sectors.
Remediation
Microsoft has already implemented an interim mitigation via Feature Flighting, which is automatically enabled across all supported versions of Office and Microsoft 365. Ensure that this mitigation is active on all affected systems to provide temporary protection until the official patch is released.
Additionally, they recommend the following mitigations until an official patch is released:
Network Security Configuration: Implement the "Network Security: Restrict NTLM: Outgoing NTLM traffic to remote servers" policy setting. This restricts or audits outgoing NTLM traffic, reducing the attack surface.
Protected Users Security Group: Adding users to the Protected Users Security Group ensures that NTLM is not used as an authentication mechanism, further minimizing the risk of exploitation.
Outbound TCP 445/SMB Blocking: Blocking outbound TCP 445/SMB traffic using firewalls and VPN configurations prevents NTLM authentication messages from being sent to remote file shares, effectively thwarting potential exploitation attempts.
Given the social engineering component of this vulnerability, it is crucial to educate users on the risks of opening unsolicited email attachments or clicking on links from unknown sources. Regular phishing awareness training can help reduce the likelihood of successful exploitation.
Attacks could also be mitigated by ensuring that Office macros and ActiveX controls are disabled by default, reducing the risk of automatic exploitation.
As soon as the official patch is released on August 13th, organizations must ensure it is applied across all affected systems. This will provide comprehensive protection against CVE-2024-38200.