A recent discovery by researchers at ACROS Security has unveiled a critical 0-day vulnerability present in all versions of Windows clients, starting from Windows 7 up to the latest Windows 11 editions. This vulnerability poses a significant threat as it could potentially allow attackers to seize NTLM authentication hashes from users of affected systems.
The vulnerability came to light when researchers at ACROS Security, while working on a patch for older Windows systems to address theCVE-2024-38030 vulnerability, stumbled upon the new critical flaw. The CVE-2024-38030 vulnerability, a medium-severity Windows Themes spoofing vulnerability, was successfully remediated by Microsoft through its July security update, as detailed in a report by Dark Reading.
The newly identified vulnerability that ACROS Security exposed is closely related to the CVE-2024-38030 issue and enables what is known as an authentication coercion attack. This attack method essentially tricks a vulnerable device into sending NTLM hashes, which represent a user’s password, to the attacker’s system. Tomer Peled, a researcher at Akamai, had previously discovered the CVE-2024-38030 vulnerability while examining Microsoft’s patch for another Windows themes spoofing vulnerability, CVE-2024-21320. This new vulnerability uncovered by ACROS is a distinct flaw linked to the two vulnerabilities identified by Peled earlier.
Windows themes files are instrumental in allowing users to customize the appearance of their Windows desktop interface with wallpapers, screen savers, colors, and sounds. The vulnerabilities identified by Akamai researcher Tomer Peled were focused on the way themes managed file paths to specific image resources such as “BrandImage” or “Wallpaper.” Due to improper validation, an attacker could manipulate these legitimate paths to coerce Windows into automatically sending an authenticated request containing the user’s NTLM hash to the attacker’s device.
Microsoft has acknowledged the report from ACROS Security regarding the latest Windows themes spoofing vulnerability, indicating their commitment to taking necessary action to protect customers. Although no official CVE has been issued yet by Microsoft for this particular issue, it underscores the importance of prompt and effective remediation measures.
Mitja Kolsek, CEO of ACROS Security, emphasized that the reported vulnerability was noticed during the process of developing a patch for CVE-2024-38030, aimed at legacy Windows systems that are still widely used. Following the responsible disclosure to Microsoft, ACROS Security plans to release details and a proof-of-concept once Microsoft releases their patch to the public.
Security experts recommend disabling NTLM where possible to mitigate the risks associated with these vulnerabilities. However, disabling NTLM may result in functional issues for systems relying on it. Organizations are advised to exercise caution and implement necessary security measures to prevent potential exploitation of these vulnerabilities.
As the cybersecurity landscape continues to evolve, researchers and security professionals work tirelessly to identify and address critical vulnerabilities that threaten the integrity of systems and user data. The collaborative efforts of security researchers, organizations, and software vendors are crucial in safeguarding against emerging threats and ensuring a secure digital environment for all users.