External risk intelligence

Microsoft Windows NTLM Hash Disclosure Vulnerability Advisory

CVE advisoryKnown Exploit

CVE-2024-43451

Microsoft Windows systems are affected by a vulnerability allowing NTLM hash disclosure through spoofing. Attackers could use this to impersonate users, leading to unauthorized access to systems and data. Organizations should identify and protect affected systems to mitigate business risk.

2Halo Surface Signal

Microsoft Windows 10 1507

before 10.0.10240.20826before 10.0.14393.7515before 10.0.17763.6532before 10.0.19044.5131before 10.0.19045.5131before 10.0.22621.4460before 10.0.22631.4460before 10.0.26100.2314r2;...

External exposure likelihood

Halo Surface Signal score for CVE-2024-43451

This vulnerability involves NTLM hash disclosure, which typically requires a user to interact with a malicious file or network resource. While reachable via network protocols, this is not an internet-facing service or edge gateway by design. It relies on local or lateral user interaction within an environment, making direct public-internet exposure uncommon in standard deployments.

Horizon Alert

Summary of the vulnerability and why it matters

The identified vulnerability resides within Microsoft Windows operating systems. The core weakness involves the disclosure of NTLM hashes through a spoofing flaw, which attackers can leverage. This could allow an attacker to impersonate a user, potentially leading to unauthorized access to systems and data.

Vulnerable Microsoft Windows systems
NTLM hash disclosure via spoofing
User impersonation and unauthorized access

Attack Path

How an attacker could exploit the issue

This vulnerability allows an attacker to obtain a user's NTLM hash through a crafted file. The attacker can then use this hash to impersonate the user. The attack vector involves a user opening a specially prepared file, leading to the disclosure of the NTLMv2 hash. This hash can then be exploited for spoofing.

External network access to a system.
User opens a malicious file.
Attacker obtains and uses NTLM hash.

Live Threat

Current exploitation, exposure, and threat context

This vulnerability allows an attacker to obtain NTLM hashes, which can then be used to impersonate users. The impact on an organization could include unauthorized access to systems and data. The risk is elevated due to the potential for attackers to leverage these hashes for further compromise.

Attacker skill: Moderate
Required access: User interaction required
Business risk: High urgency

Priority actions

Operational Fix

Recommended remediation, mitigation, and detection steps

This vulnerability allows attackers to disclose NTLMv2 hashes, which could be used to impersonate users. Organizations should take steps to identify and protect affected systems to mitigate business risk.

Identify systems running affected Windows versions.
Limit exposure of network services.
Apply vendor updates and validate.
Monitor for related security incidents.

Frequently asked questions

What is Microsoft Windows NTLM Hash Disclosure Spoofing?

This refers to a vulnerability (CVE-2024-43451) in Microsoft Windows that allows an attacker to trick a user into revealing their NTLMv2 hash. This hash is like a password, and an attacker could use it to pretend to be that user.

What is the weakness class for CVE-2024-43451?

The weakness class for CVE-2024-43451 is CWE-73, which describes "External Control of Dynamically Managed Code Evaluation." In this case, it relates to how Windows handles NTLM hashes when a user interacts with a specially crafted file.

How can an attacker exploit this Windows vulnerability?

An attacker can exploit this by convincing a user to open a malicious file. When the user opens the file, their NTLMv2 hash can be disclosed to the attacker, who can then use it to impersonate the user.

Who should care about this NTLM hash disclosure vulnerability?

Anyone running affected versions of Microsoft Windows should care. While not typically exposed directly to the internet, this vulnerability can be exploited if a user interacts with a malicious file, making it a concern for internal network security.

What is the first step to respond to this threat?

The first step is to identify which systems are running the affected versions of Microsoft Windows and then apply any available updates or security patches provided by Microsoft to address CVE-2024-43451.

References

Cyber Threat Intelligence (CTI)

Sources: threatActor

www.clearskysec.com/0d-vulnerability-exploited-in-the_wild/

Written by Nicholas Merritt

External-surface CVE analysis and Halo Surface Signal prioritization for Halo Threat Intelligence.