Exploit
CVE-2024-43451

External Control of File Name or Path (CWE-73)

Published: Nov 12, 2024

010
CVSS 6.5EPSS 0.63%Medium
CVE info copied to clipboard

Summary

An NTLM Hash Disclosure Spoofing Vulnerability exists in Windows Server. This vulnerability is associated with external control of file name or path. It requires user interaction and can be exploited over the network. The vulnerability has a low attack complexity and does not require privileges to exploit. It allows attackers to capture user NTLMv2 hashes which can be used for authentication bypass, affecting both modern Windows environments and legacy systems utilizing the MSHTML platform components, including Internet Explorer mode in Edge and WebBrowser control applications.

Impact

If successfully exploited, this vulnerability could lead to a high impact on confidentiality. An attacker could potentially gain unauthorized access to sensitive information, including NTLM hashes. This can lead to authentication bypass and unauthorized system access through credential theft. The vulnerability has a CVSS base score of 6.5, indicating a medium severity level. However, there is no impact on integrity or availability of the system. Given that this vulnerability is being actively exploited in the wild, it poses a significant security risk to enterprise environments.

Exploitation

There is no evidence that a public proof-of-concept exists. The vulnerability is actively being exploited in the wild and was added to the CISA Known Exploited Vulnerability list. Its exploitation has been reported by various sources, including cisa.gov. Malware such as SparkRAT (source:Security feed from CyberSecurity Help) are known to have weaponized this vulnerability.

Patch

A patch is available for this vulnerability. Microsoft released the patch on November 12, 2024. Security teams should prioritize applying this patch to affected Windows Server systems.

Mitigation

To mitigate this vulnerability: 1. Apply the security update provided by Microsoft as soon as possible. 2. Implement the principle of least privilege to minimize the impact of potential exploits. 3. Use network segmentation to limit the exposure of vulnerable systems. 4. Educate users about the risks of interacting with untrusted content, as the vulnerability requires user interaction. 5. Monitor for suspicious activities related to NTLM hash disclosure or file path manipulation. 6. Consider implementing additional security measures to protect against NTLM relay attacks.

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:F/RL:O/RC:C

Timeline

Exploitation in the Wild

Attacks in the wild have been reported by inthewild.io.

Nov 12, 2024 at 12:00 AM / inthewild.io
Detection in Vulnerability Scanners

Detection for the vulnerability has been added to Qualys (92186)

Nov 12, 2024 at 7:53 AM
CVSS

A CVSS base score of 6.5 has been assigned.

Nov 12, 2024 at 5:55 PM / microsoft
First Article

Feedly found the first article mentioning CVE-2024-43451. See article

Nov 12, 2024 at 5:59 PM / #cybersecurity
CVSS Estimate

Feedly estimated the CVSS score as MEDIUM

Nov 12, 2024 at 5:59 PM
CVE Assignment

NVD published the first details for CVE-2024-43451

Nov 12, 2024 at 6:15 PM
Exploitation in the Wild

Attacks in the wild have been reported by CISA Known Exploited Vulnerability.

Nov 12, 2024 at 6:31 PM / CISA Known Exploited Vulnerability
Exploitation in the Wild

Attacks in the wild have been reported by CISA - Known exploited vulnerabilities catalog. See article

Trending

This CVE started to trend in security discussions

Nov 13, 2024 at 6:09 PM
Static CVE Timeline Graph

Affected Systems

Microsoft/windows_10_1607
+null more

Proof Of Exploit

https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2024-43451
+null more

Patches

Microsoft
+null more

Links to Malware Families

Spark
+null more

Links to Mitre Att&cks

T1562.003: Impair Command History Logging
+null more

Attack Patterns

CAPEC-13: Subverting Environment Variable Values
+null more

References

NTLM Hash Disclosure Spoofing Vulnerability
According to the CVSS metric, successful exploitation of this vulnerability could lead to total loss of confidentiality (C:H)? According to the CVSS metric, user interaction is required (UI:R).
CTO at NCSC Summary: week ending November 17th
Operational resilience: Critical third parties to the UK financial sector - Bank of England publishes - “Respondents were particularly concerned about potential requirements or expectations on CTPs to disclose unremedied vulnerabilities (in the cyber-security sense) to the regulators and to the firms they provide systemic third party services, as this could increase the risk of threat actors exploiting these vulnerabilities, which would go against the Overall Objective.” Majority of top vulnerabilities were first exploited as zero-days allowing malicious actors to compromise higher-priority targets
ION Advisory: November Patch Tuesday
None of the following critical vulnerabilities below have been reported as being actively exploited or publicly disclosed: The following vulnerabilities have been reported as publicly disclosed, but not yet actively exploited :

News

CISA: CISA Adds Five Known Exploited Vulnerabilities to Catalog
Binding Operational Directive (BOD) 22-01: Reducing the Significant Risk of Known Exploited Vulnerabilities established the Known Exploited Vulnerabilities Catalog as a living list of known Common Vulnerabilities and Exposures (CVEs) that carry significant risk to the federal enterprise. BOD 22-01 requires Federal Civilian Executive Branch (FCEB) agencies to remediate identified vulnerabilities by the due date to protect FCEB networks against active threats.
CVE-2024-43451 Exploitation
CVE Id : CVE-2024-43451 Published Date: 2024-11-12T00:00:00 NTLM Hash Disclosure Spoofing Vulnerability https://msrc.microsoft.com/update-guide/en-US/advisory/CVE-2024-43451 https://www.cisa.gov/known-exploited-vulnerabilities-catalog inTheWild added CVE-2024-43451 to the list of known exploited vulnerabilities.
[PDF] New Zero-Day Vulnerability Detected: CVE-2024-43451 [exp] [mal]
ClearSky Cyber Security discovered a zero-day vulnerability (CVE-2024-43451) on Windows systems through URL files, exploited for NTLM hash exfiltration and potential Redline Stealer malware installation from an official Ukrainian government site, with similarities to previous attack campaigns.
Weekly Threat Landscape Digest – Week 47
From sophisticated zero-day exploits to novel malware campaigns, this week’s Hawkeye Security Advisory brings you actionable insights into the latest threats and how to mitigate them. The BrazenBamboo APT group is actively exploiting an unpatched zero-day vulnerability in Fortinet’s FortiClient VPN software for Windows.
Security Affairs newsletter Round 498 by Pierluigi Paganini – INTERNATIONAL EDITION
A new round of the weekly SecurityAffairs newsletter arrived! Every week the best security articles from Security Affairs are free in your email box. Enjoy a new round of the weekly SecurityAffairs newsletter, including the international press. A botnet exploits e GeoVision zero-day to compromise EoL devicesPalo Alto Networks confirmed active exploitation of recently disclosed zero-dayNSO Group used WhatsApp exploits even after Meta-owned company sued itGlove Stealer bypasses Chrome’s App
See 239 more articles and social media posts

CVSS V3.1

Attack Vector:Network
Attack Complexity:Low
Privileges Required:None
User Interaction:Required
Scope:Unchanged
Confidentiality:High
Integrity:None
Availability Impact:None

Categories

Be the first to know about critical vulnerabilities

Collect, analyze, and share vulnerability reports faster using AI