{
    "file_item": {
        "filepath": "security-advisories",
        "filename": "CERT-EU-SA2024-077.pdf"
    },
    "title": "Vulnerabilities in Microsoft Office",
    "serial_number": "2024-077",
    "publish_date": "12-08-2024 13:36:04",
    "description": "On August 8, 2024, Microsoft disclosed a high-severity vulnerability tracked as CVE-2024-38200 affecting Office 2016 that could expose NTLM hashes to a remote attacker. This security flaw is caused by an information disclosure weakness that enables unauthorised actors to access protected information.<br>\n",
    "url_title": "2024-077",
    "content_markdown": "---\ntitle: 'Vulnerabilities in Microsoft Office'\nnumber: '2024-077'\nversion: '1.0'\noriginal_date: 'August 8, 2024'\ndate: 'August 12, 2024'\n---\n\n_History:_\n\n* _12/08/2024 --- v1.0 -- Initial publication_\n\n# Summary\n\nOn August 8, 2024, Microsoft disclosed a high-severity vulnerability tracked as **CVE-2024-38200** affecting Office 2016 that could expose NTLM hashes to a remote attacker. This security flaw is caused by an information disclosure weakness that enables unauthorised actors to access protected information [1].\n\n# Technical Details\n\nThe vulnerability **CVE-2024-38200** (CVSS score: 7.5) is an information disclosure vulnerability that allows remote attackers to access NTLM hashes. Attackers can exploit this flaw via a specially crafted file or web-based attack, potentially leading to NTLM relay attacks or password cracking.\n\n# Affected Products\n\nAccording to Microsoft's advisory, the following products are affected [4]:\n\n- Microsoft Office 2016 (64-bit edition)\n- Microsoft Office 2016 (32-bit edition)\n- Microsoft Office LTSC 2021 for 32-bit editions\n- Microsoft Office LTSC 2021 for 64-bit editions\n- Microsoft 365 Apps for Enterprise for 64-bit Systems\n- Microsoft 365 Apps for Enterprise for 32-bit Systems\n- Microsoft Office 2019 for 64-bit editions\n- Microsoft Office 2019 for 32-bit editions\n\n# Mitigations\n\n1. Set the \"Restrict NTLM: Outgoing NTLM traffic to remote servers\" group policy to block NTLM traffic from computers running Windows 7, Windows Server 2008, or later to any remote server [2].\n\n2. Add users to the Protected Users Security Group, which restricts NTLM as an authentication method [3].\n\n3. Block all outbound traffic on TCP port 445 to prevent NTLM traffic from leaving the network.\n\n# Recommendations\n\nCERT-EU recommends applying the mitigations provided by Microsoft [4], including blocking outbound NTLM traffic, while Microsoft releases the updates.\n\n# References\n\n[1] <https://www.bleepingcomputer.com/news/security/microsoft-discloses-unpatched-office-flaw-that-exposes-ntlm-hashes/>\n\n[2] <https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/security-policy-settings/network-security-restrict-ntlm-outgoing-ntlm-traffic-to-remote-servers#policy-management>\n\n[3] <https://learn.microsoft.com/en-us/windows-server/security/credentials-protection-and-management/protected-users-security-group>\n\n[4] <https://msrc.microsoft.com/update-guide/vulnerability/CVE-2024-38200>",
    "content_html": "<p><em>History:</em></p><ul><li><em>12/08/2024 --- v1.0 -- Initial publication</em></li></ul><h2 id=\"summary\">Summary</h2><p>On August 8, 2024, Microsoft disclosed a high-severity vulnerability tracked as <strong>CVE-2024-38200</strong> affecting Office 2016 that could expose NTLM hashes to a remote attacker. This security flaw is caused by an information disclosure weakness that enables unauthorised actors to access protected information [1].</p><h2 id=\"technical-details\">Technical Details</h2><p>The vulnerability <strong>CVE-2024-38200</strong> (CVSS score: 7.5) is an information disclosure vulnerability that allows remote attackers to access NTLM hashes. Attackers can exploit this flaw via a specially crafted file or web-based attack, potentially leading to NTLM relay attacks or password cracking.</p><h2 id=\"affected-products\">Affected Products</h2><p>According to Microsoft's advisory, the following products are affected [4]:</p><ul><li>Microsoft Office 2016 (64-bit edition)</li><li>Microsoft Office 2016 (32-bit edition)</li><li>Microsoft Office LTSC 2021 for 32-bit editions</li><li>Microsoft Office LTSC 2021 for 64-bit editions</li><li>Microsoft 365 Apps for Enterprise for 64-bit Systems</li><li>Microsoft 365 Apps for Enterprise for 32-bit Systems</li><li>Microsoft Office 2019 for 64-bit editions</li><li>Microsoft Office 2019 for 32-bit editions</li></ul><h2 id=\"mitigations\">Mitigations</h2><ol><li><p>Set the \"Restrict NTLM: Outgoing NTLM traffic to remote servers\" group policy to block NTLM traffic from computers running Windows 7, Windows Server 2008, or later to any remote server [2].</p></li><li><p>Add users to the Protected Users Security Group, which restricts NTLM as an authentication method [3].</p></li><li><p>Block all outbound traffic on TCP port 445 to prevent NTLM traffic from leaving the network.</p></li></ol><h2 id=\"recommendations\">Recommendations</h2><p>CERT-EU recommends applying the mitigations provided by Microsoft [4], including blocking outbound NTLM traffic, while Microsoft releases the updates.</p><h2 id=\"references\">References</h2><p>[1] <a rel=\"noopener\" target=\"_blank\" href=\"https://www.bleepingcomputer.com/news/security/microsoft-discloses-unpatched-office-flaw-that-exposes-ntlm-hashes/\">https://www.bleepingcomputer.com/news/security/microsoft-discloses-unpatched-office-flaw-that-exposes-ntlm-hashes/</a></p><p>[2] <a rel=\"noopener\" target=\"_blank\" href=\"https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/security-policy-settings/network-security-restrict-ntlm-outgoing-ntlm-traffic-to-remote-servers#policy-management\">https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/security-policy-settings/network-security-restrict-ntlm-outgoing-ntlm-traffic-to-remote-servers#policy-management</a></p><p>[3] <a rel=\"noopener\" target=\"_blank\" href=\"https://learn.microsoft.com/en-us/windows-server/security/credentials-protection-and-management/protected-users-security-group\">https://learn.microsoft.com/en-us/windows-server/security/credentials-protection-and-management/protected-users-security-group</a></p><p>[4] <a rel=\"noopener\" target=\"_blank\" href=\"https://msrc.microsoft.com/update-guide/vulnerability/CVE-2024-38200\">https://msrc.microsoft.com/update-guide/vulnerability/CVE-2024-38200</a></p>",
    "licence": {
        "title": "Creative Commons Attribution 4.0 International (CC-BY 4.0)",
        "link": "https://creativecommons.org/licenses/by/4.0/",
        "restrictions": "https://cert.europa.eu/legal-notice",
        "author": "The Cybersecurity Service for the Union institutions, bodies, offices and agencies"
    }
}