Microsoft has disclosed a critical vulnerability in Office versions, including Office 2016, Office 2019, Office LTSC 2021, and Microsoft 365 Apps for Enterprise. This flaw, tracked as CVE-2024-38200, exposes NTLM hashes, potentially allowing attackers to gain unauthorised access to sensitive data. Although Microsoft is developing security updates, a complete patch is still pending. The vulnerability poses a significant risk to UK businesses, particularly those reliant on Office products, as it could lead to credential theft and broader network compromises.
Vulnerability Overview
The vulnerability stems from an information disclosure weakness that allows attackers to access NTLM hashes, which can be exploited to retrieve user credentials. Despite Microsoft’s assessment that exploitation is "less likely," MITRE suggests a high probability of such vulnerabilities being exploited. In a typical attack scenario, users are lured into clicking malicious links, leading to the exposure of their NTLM hashes. These hashes can be cracked or used in NTLM relay attacks to infiltrate further into a network, threatening overall security.
Potential Impact on businesses
For businesses, this flaw is particularly concerning as NTLM hashes, once compromised, can grant attackers access to internal networks, potentially leading to data breaches, financial losses, and reputational damage. UK companies, especially those in sectors with high regulatory scrutiny, such as finance, healthcare, and critical infrastructure, must be vigilant. The ability of attackers to escalate privileges using compromised NTLM hashes could also facilitate ransomware attacks, data exfiltration, and disruption of business operations.
Mitigation Strategies
While awaiting a comprehensive patch, Microsoft advises several mitigation techniques, including:
1. Blocking outbound NTLM traffic to remote servers via group policy settings.
2. Adding users to the Protected Users Security Group, which limits NTLM use as an authentication mechanism.
3. Blocking outbound traffic to TCP port 445, a common route for NTLM traffic.
These steps can significantly reduce the risk, although they may also impact legitimate access to some remote resources.
Recommendations
UK organisations should immediately implement Microsoft’s recommended mitigations to reduce exposure to this vulnerability. Furthermore, businesses should:
• Conduct a thorough security review of all systems reliant on Microsoft Office products.
• Educate employees about the dangers of phishing and malicious links, as these are common vectors for exploiting such vulnerabilities.
• Monitor network traffic for unusual NTLM activity that could indicate a compromise.
Regularly updating systems and applying security patches as they become available is essential in maintaining a robust defence against emerging threats.
The CVE-2024-38200 vulnerability underscores the importance of proactive security measures, particularly for businesses dependent on Microsoft Office. While Microsoft is working on a fix, the potential risks necessitate immediate action to mitigate exposure and protect critical assets from exploitation.
