NTLM
,

Patch now! Microsoft Office flaw could leak NTLM hashes

Microsoft is warning about a Microsoft Office vulnerability which an attacker could use to steal NTLM hashes.

Microsoft is warning about a Microsoft Office vulnerability which an attacker could use to steal NTLM hashes. A patch is included in the August 13th Patch Tuesday updates.

The vulnerability, listed as CVE-2024-38200, is a spoofing vulnerability in Microsoft Office 2016, 2019, LTSC 2021, and Microsoft 365 Apps for Enterprise. Successful exploitation can provide an attacker with the users’ NTLM hashes.

The vulnerability was presented at DefCon, the annual hacker convention in Las Vegas which was held on the 8th – 11th August, 2024. The researchers talked about “some glaring gaps in some of the Microsoft NTLM related security controls.”

To successfully exploit the vulnerability in a web-based attack scenario, an attacker would have to lure the target to a website that contains a specially crafted file designed to exploit the vulnerability, and then convince the user to open the specially crafted file.

Microsoft says users of Microsoft Office and Microsoft 365 were already protected against exploitation, but customers should still update to the August 13th updates for the final version of the fix. Microsoft also provided mitigation factors to use while the patch has not been applied yet.

Why NTLM hashes are important too

Microsoft has officially deprecated New Technology LAN Manager (NTLM), stating the technology will no longer see active development as of June, and will be phased out in favor of more secure alternatives.

All versions of NTLM, including LANMAN, NTLMv1, and NTLMv2, are no longer under active feature development and are deprecated. Use of NTLM will continue to work in the next release of Windows Server and the next annual release of Windows. Calls to NTLM should be replaced by calls to Negotiate, which will try to authenticate with Kerberos and only fall back to NTLM when necessary.

NTLM is an old authentication protocol which was superseded by Kerberos long ago, but is still in use today.

NTLM hashes are important to an attacker because they can use them for a pass-the-hash attack. Pass-the-hash is a credential theft and lateral movement method where the attacker abuses the NTLM authentication protocol to authenticate as a user without ever obtaining the account’s plaintext password. All they need is the hash of the password.

The same password will always generate the same hash, but it’s impossible to recreate the full password from the hash alone. During the NTLM authentication process, the domain controller (DC) sends a challenge to the computer that sent the login request. The computer encrypts the logon challenge using the hash of the password and sends the response to the DC.

To check whether the authentication attempt is valid, the DC encrypts the logon challenge using the hash of the password that it has on record associated with the username that was used in the logon request. When the result matches, the authentication is approved.

As you may have noticed from the description above, the password hash is all I need to authenticate. If an attacker can obtain my username and password hash, they can login as me.

Another thing that makes NTLM authentication less secure is its higher vulnerability to brute-force attacks. The protocol is more vulnerable to them because passwords are not salted.

Password salting means that a random piece of data is added to the password before it runs through the hashing algorithm. This makes it unique and harder to crack. When using both hashing and salting, even if two users choose the same password, the addition of random characters to each password makes them unique.

NTLM authentication is still supported in Windows for compatibility with older systems and to enable logon authentication on stand-alone systems. And unfortunately, there are still plenty of old applications out there that use NTLM.

Using NTLM authentication poses yet another security risk that’s still being exploited in organizations around the world. One example is NTLM Relay attacks, where Windows domain controllers are taken over by forcing them to authenticate against malicious servers.

To protect against NTLM attacks, first step is to find out which applications are still using NTLM by using the Group Policy setting Network Security: Restrict NTLM: Audit NTLM authentication in this domain.From there you can decide whether you want to switch directly to Kerberos or use Negotiate, which tries Kerberos first and then switches to NTLM if that fails.

For most applications, replacing NTLM with Negotiate can be achieved by a one-line change in the AcquireCredentialsHandle request to the Security Support Provider Interface (SSPI).