Executive Summary

Date: November 14, 2024

CVE-2024-43451 has emerged as a significant cybersecurity threat, particularly exploited by suspected Russian threat actors targeting Ukrainian entities. This vulnerability is part of a concerning trend where attackers are increasingly focusing on zero-day vulnerabilities that can disclose NTLMv2 hashes, facilitating unauthorized access to systems. Organizations must take immediate action to mitigate the risks associated with this vulnerability.

Technical Information

CVE-2024-43451 is classified as an NTLM Hash Disclosure Spoofing Vulnerability. This vulnerability allows attackers to steal a user's NTLMv2 hash with minimal user interaction, posing a serious risk to Windows environments. The vulnerability is present in all supported versions of Microsoft Windows and is associated with the legacy MSHTML engine, which, despite being theoretically deactivated, remains a vector for exploitation.

The Common Vulnerability Scoring System (CVSS) score for CVE-2024-43451 is 6.5, categorized as Medium. The affected systems include all current versions of Windows, specifically Windows 10, Windows 11, and Windows Server 2008 and later. The exploitation method involves attackers creating a malicious file that, when interacted with—such as by selecting or inspecting it—can disclose the NTLMv2 hash. This hash is critical for authenticating users in Windows environments, and its compromise can lead to pass-the-hash attacks, allowing attackers to impersonate legitimate users without needing their actual credentials.

Exploitation in the Wild

Reports indicate that CVE-2024-43451 has been actively exploited in real-world attacks, particularly against Ukrainian targets. The exploitation requires minimal interaction from the victim, such as a single click or right-click on a malicious file. This ease of exploitation makes it particularly dangerous, as users may not recognize the threat.

According to Kaspersky, "Exploitation of vulnerability CVE-2024-43451 allows an attacker to steal an NTLMv2 hash with minimal interaction from the victim" (Kaspersky, November 14, 2024). This vulnerability has been noted as the third such vulnerability disclosed in 2024 that can expose NTLMv2 hashes, highlighting a concerning trend in the exploitation of Windows vulnerabilities. The implications of this vulnerability extend beyond individual systems, as compromised NTLMv2 hashes can facilitate lateral movement within networks, leading to broader security breaches.

APT Groups using this vulnerability

The exploitation of CVE-2024-43451 has been linked to advanced persistent threat (APT) groups, particularly those associated with nation-state actors. The involvement of groups targeting Ukrainian entities suggests a geopolitical motive behind the exploitation. These APT groups are known for their sophisticated techniques and persistent targeting of critical infrastructure, making the exploitation of this vulnerability particularly alarming.

Affected Product Versions

CVE-2024-43451 affects all supported versions of Microsoft Windows, including Windows 10, Windows 11, and Windows Server 2008 and later versions. This information is corroborated by multiple sources, including the CISA Known Exploited Vulnerabilities Catalog, which lists the vulnerability and its affected products (CISA, November 12, 2024) and the Microsoft Security Response Center (Microsoft, November 2024). Organizations using these versions must prioritize patching to mitigate the risks associated with this vulnerability.

Workaround and Mitigation

Organizations are strongly advised to implement the following mitigation strategies:

Immediate Patch Deployment: Ensure that all systems are updated with the latest security patches from Microsoft. The November 2024 Patch Tuesday includes fixes for CVE-2024-43451 and should be prioritized.

User Education: Train users to recognize potential phishing attempts and malicious files. Since exploitation can occur with minimal interaction, awareness is crucial.

Network Segmentation: Implement network segmentation to limit the potential impact of a compromised NTLMv2 hash. This can help contain any unauthorized access attempts.

Monitoring and Detection: Utilize security solutions that can detect unusual authentication attempts or lateral movement within the network, which may indicate exploitation of this vulnerability.

References

• Microsoft Security Response Center. "CVE-2024-43451 - NTLM Hash Disclosure Spoofing Vulnerability." Available at: https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2024-43451

• Kaspersky. "CVE-2024-43451 allows stealing NTLMv2 hash." Available at: https://www.kaspersky.com/blog/2024-november-patch-tuesday/52604/

• Help Net Security. "How a Windows zero-day was exploited in the wild for months (CVE-2024-43451)." Available at: https://www.helpnetsecurity.com/2024/11/14/cve-2024-43451-exploited/

• ClearSky Cyber Security. "CVE-2024-43451: A New Zero-Day Vulnerability Exploited in the wild." Available at: https://www.clearskysec.com/0d-vulnerability-exploited-in-the_wild/

• CISA Known Exploited Vulnerabilities Catalog. Available at: https://www.cisa.gov/known-exploited-vulnerabilities-catalog

Rescana is here for you

At Rescana, we are committed to helping our customers navigate the complexities of cybersecurity threats. Our Continuous Threat and Exposure Management (CTEM) platform provides organizations with the tools and insights needed to manage vulnerabilities effectively and enhance their security posture. We are happy to answer any questions you might have about this report or any other issue at ops at rescana.com.