{"id":33685,"date":"2024-04-04T11:04:15","date_gmt":"2024-04-04T09:04:15","guid":{"rendered":"http:\/\/159.69.82.204\/win\/?p=33685"},"modified":"2024-10-01T15:25:15","modified_gmt":"2024-10-01T13:25:15","slug":"windows-ntlm-credentials-vulnerability-cve-2024-21320-fix-from-0patch","status":"publish","type":"post","link":"https:\/\/borncity.com\/win\/2024\/04\/04\/windows-ntlm-credentials-vulnerability-cve-2024-21320-fix-from-0patch\/","title":{"rendered":"Windows NTLM credentials vulnerability CVE-2024-21320: Fix from 0patch"},"content":{"rendered":"

\"Windows\"[German<\/a>]There is a vulnerability in Windows (CVE-2024-21320) that exposes NTLM credentials about Windows topics. Microsoft patched the vulnerability CVE-2024-21320 in January 2024. This patch provides a policy to prevent the exposure of NTLM credentials when theme files are located on network drives. ACROS Security has now released a micropatch for the 0patch agent that generally closes the vulnerability (without registry intervention).<\/p>\n

<\/p>\n

Themes Spoofing (CVE-2024-21320)<\/h2>\n

\"\"As of January 9, 2024, Microsoft has disclosed the theme spoofing vulnerability CVE-2024-21320<\/a> in Windows. The vulnerability allows an attacker to obtain a user's NTLM credentials if the victim simply downloads a theme file from or displays such a file in a network folder.<\/p>\n

The background to this is that the theme file format allows a .theme file to specify two images, BrandImage<\/em> and Wallpaper<\/em>. If these are on a remote network share, Windows Explorer attempts to load these files automatically as soon as a theme file is downloaded or displayed in a folder. An attacker could exploit this to host images for a theme file on their own network resource. When accessing the images, the user's NTLM credentials are then transmitted, can be intercepted and used to identify the user.<\/p>\n

Security researcher Tomer Peled from Akamai discovered the vulnerability, reported it to Microsoft and later published a detailed article<\/a> and a proof of concept<\/a>.<\/p>\n

Microsofts Januar 2024 patch<\/h2>\n

As .theme files are generally classified as dangerous, their receipt as an attachment to an email in Microsoft Outlook is already blocked. Microsoft has assigned the Privilege Escalation vulnerability a CVSS 3.1 index of 6.5, but classifies exploitation as unlikely. Systems that have NTLM disabled are not affected. In January 2024, Microsoft then rolled out a security fix for Windows versions in support via an update. The update packages for Windows Server 2012 – 2022 and Windows 10\/11 clients are listed in the article on CVE-2024-21320<\/a>. If the update is installed, the transmission of the NTLM hash can be prevented by a group policy via registry – details in the linked article.<\/p>\n

The 0patch solution<\/h2>\n

I came across the following tweet<\/a> from ACROS Security\/0patch, which refers to the blog post Micropatches for Leaking NTLM Credentials Through Windows Themes (CVE-2024-21320)<\/a>.<\/p>\n

<\/a><\/p>\n

The 0patch micropatch is logically identical to Microsoft's, whereby the blocking of images on a network path is hard-coded and cannot or does not have to be configured via the registry. This means that systems without a GPO are protected against this vulnerability. The details can be found in the 0patch blog post above.<\/p>\n

You can find information on how the 0patch agent works, which loads the micropatches into the memory of an application at runtime, in the blog posts (e.g. here<\/a>). Here in the blog, I have often reported on 0patch solutions, which are linked at the end of the blog post Windows \"EventLogCrasher\" 0-day vulnerability crashes event logging; 0patch micro-patch available<\/a>.<\/p>\n

Similar articles:<\/strong>
\nMicrosoft Security Update Summary (January 9, 2024)<\/a>
\nPatchday: Windows 10 Updates (January 9, 2024)<\/a>
\nPatchday: Windows 11\/Server 2022 Updates (January 9, 2024)<\/a>
\nWindows 7\/Server 2008 R2; Server 2012 R2: Updates (January 9, 2024)<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"

[German]There is a vulnerability in Windows (CVE-2024-21320) that exposes NTLM credentials about Windows topics. Microsoft patched the vulnerability CVE-2024-21320 in January 2024. This patch provides a policy to prevent the exposure of NTLM credentials when theme files are located on … Continue reading →<\/span><\/a><\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[580,2],"tags":[69,194],"class_list":["post-33685","post","type-post","status-publish","format-standard","hentry","category-security","category-windows","tag-security","tag-windows"],"_links":{"self":[{"href":"https:\/\/borncity.com\/win\/wp-json\/wp\/v2\/posts\/33685","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/borncity.com\/win\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/borncity.com\/win\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/borncity.com\/win\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/borncity.com\/win\/wp-json\/wp\/v2\/comments?post=33685"}],"version-history":[{"count":2,"href":"https:\/\/borncity.com\/win\/wp-json\/wp\/v2\/posts\/33685\/revisions"}],"predecessor-version":[{"id":35186,"href":"https:\/\/borncity.com\/win\/wp-json\/wp\/v2\/posts\/33685\/revisions\/35186"}],"wp:attachment":[{"href":"https:\/\/borncity.com\/win\/wp-json\/wp\/v2\/media?parent=33685"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/borncity.com\/win\/wp-json\/wp\/v2\/categories?post=33685"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/borncity.com\/win\/wp-json\/wp\/v2\/tags?post=33685"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}