Free unofficial patches at the moment are out there for a brand new Home windows Themes zero-day vulnerability that enables attackers to steal a goal’s NTLM credentials remotely.
NTLM has been extensively exploited in NTLM relay assaults, the place risk actors power weak community gadgets to authenticate in opposition to servers below their management, and pass-the-hash assaults, the place they exploit system vulnerabilities or deploy malicious software program to amass NTLM hashes (that are hashed passwords) from focused techniques.
As soon as they’ve the hash, the attackers can authenticate because the compromised person, having access to delicate knowledge and spreading laterally on the now-compromised community. One 12 months in the past, Microsoft introduced that it plans to kill off the NTLM authentication protocol in Home windows 11 sooner or later.
Bypass for incomplete safety patch
ACROS Safety researchers found the brand new Home windows Themes zero-day (which has not but been assigned a CVE ID) whereas growing a micropatch for a safety problem tracked as CVE-2024-38030 that would leak a person’s credentials (discovered and reported by Akamai’s Tomer Peled), itself a bypass for one more Home windows Themes spoofing vulnerability (CVE-2024-21320) patched by Microsoft in January.
“An attacker would have to convince the user to load a malicious file onto a vulnerable system, typically by way of an enticement in an Email or Instant Messenger message, and then convince the user to manipulate the specially crafted file, but not necessarily click or open the malicious file,” as Microsoft explains within the CVE-2024-21320 advisory.
Although Microsoft has patched CVE-2024-38030 in July, ACROS Safety discovered one other problem attackers might exploit to steal a goal’s NTLM credentials on all absolutely up to date Home windows variations, from Home windows 7 to Home windows 11 24H2.
“While analyzing the issue, our security researchers decided to look around a bit and found an additional instance of the very same problem that was still present on all fully updated Windows versions, up to currently the latest Windows 11 24H2,” ACROS Safety CEO Mitja Kolsek stated.
“So instead of just fixing CVE-2024-38030, we created a more general patch for Windows themes files that would cover all execution paths leading to Windows sending a network request to a remote host specified in a theme file upon merely viewing the file.”
Kolsek shared a video demo (embedded beneath), exhibiting how copying a malicious Home windows theme file on a totally patched Home windows 11 24H2 system (on the left facet) triggers a community connection to an attacker’s machine, exposing the logged-in person’s NTLM credentials.
Free and unofficial micropatches out there
The corporate now offers free and unofficial safety patches for this zero-day bug by means of its 0patch micropatching service for all affected Home windows variations till official fixes can be found from Microsoft, which have already been utilized on all on-line Home windows techniques operating the corporate’s 0patch agent.
“Since this is a ‘0day’ vulnerability with no official vendor fix available, we are providing our micropatches for free until such fix becomes available,” Kolsek stated.
To put in the micropatch in your Home windows machine, create a 0patch account and set up the 0patch agent. As soon as the agent is launched, the micropatch can be utilized mechanically with out requiring a system restart if there isn’t a customized patching coverage to dam it.
Nonetheless, it is necessary to notice that, on this case, 0patch solely offers micropatches for Home windows Workstation as a result of Home windows Themes does not work on Home windows Server till the Desktop Expertise function is put in.
“In addition, for credentials leak to occur on a server it’s not enough just to view a theme file in Windows Explorer or on desktop; rather, the theme file needs to be double-clicked and the theme thus applied,” Kolsek added.
Whereas Microsoft instructed BleepingComputer they’re “aware of this report and will take action as needed to help keep customers protected” when requested in regards to the timeline for a patch, the Microsoft Safety Response Heart instructed Kolsek they “fully intend to patch this issue as soon as possible.”
Home windows customers who need a substitute for 0patch’s micropatches till official patches can be found can even apply mitigation measures supplied by Microsoft, together with making use of a bunch coverage that blocks NTLM hashes as detailed within the CVE-2024-21320 advisory.