Windows NTLM credentials vulnerability CVE-2024-21320: Fix from 0patch

Windows[German]There is a vulnerability in Windows (CVE-2024-21320) that exposes NTLM credentials about Windows topics. Microsoft patched the vulnerability CVE-2024-21320 in January 2024. This patch provides a policy to prevent the exposure of NTLM credentials when theme files are located on network drives. ACROS Security has now released a micropatch for the 0patch agent that generally closes the vulnerability (without registry intervention).


Themes Spoofing (CVE-2024-21320)

As of January 9, 2024, Microsoft has disclosed the theme spoofing vulnerability CVE-2024-21320 in Windows. The vulnerability allows an attacker to obtain a user's NTLM credentials if the victim simply downloads a theme file from or displays such a file in a network folder.

The background to this is that the theme file format allows a .theme file to specify two images, BrandImage and Wallpaper. If these are on a remote network share, Windows Explorer attempts to load these files automatically as soon as a theme file is downloaded or displayed in a folder. An attacker could exploit this to host images for a theme file on their own network resource. When accessing the images, the user's NTLM credentials are then transmitted, can be intercepted and used to identify the user.

Security researcher Tomer Peled from Akamai discovered the vulnerability, reported it to Microsoft and later published a detailed article and a proof of concept.

Microsofts Januar 2024 patch

As .theme files are generally classified as dangerous, their receipt as an attachment to an email in Microsoft Outlook is already blocked. Microsoft has assigned the Privilege Escalation vulnerability a CVSS 3.1 index of 6.5, but classifies exploitation as unlikely. Systems that have NTLM disabled are not affected. In January 2024, Microsoft then rolled out a security fix for Windows versions in support via an update. The update packages for Windows Server 2012 – 2022 and Windows 10/11 clients are listed in the article on CVE-2024-21320. If the update is installed, the transmission of the NTLM hash can be prevented by a group policy via registry – details in the linked article.

The 0patch solution

I came across the following tweet from ACROS Security/0patch, which refers to the blog post Micropatches for Leaking NTLM Credentials Through Windows Themes (CVE-2024-21320).


The 0patch micropatch is logically identical to Microsoft's, whereby the blocking of images on a network path is hard-coded and cannot or does not have to be configured via the registry. This means that systems without a GPO are protected against this vulnerability. The details can be found in the 0patch blog post above.

You can find information on how the 0patch agent works, which loads the micropatches into the memory of an application at runtime, in the blog posts (e.g. here). Here in the blog, I have often reported on 0patch solutions, which are linked at the end of the blog post Windows "EventLogCrasher" 0-day vulnerability crashes event logging; 0patch micro-patch available.

Similar articles:
Microsoft Security Update Summary (January 9, 2024)
Patchday: Windows 10 Updates (January 9, 2024)
Patchday: Windows 11/Server 2022 Updates (January 9, 2024)
Windows 7/Server 2008 R2; Server 2012 R2: Updates (January 9, 2024)

Cookies helps to fund this blog: Cookie settings

This entry was posted in Security, Windows and tagged , . Bookmark the permalink.

Leave a Reply

Your email address will not be published. Required fields are marked *