CVE-2024-38200: 
vulnerability analysis and mitigation

Microsoft disclosed a high-severity vulnerability (CVE-2024-38200) affecting Microsoft Office products. This spoofing vulnerability was discovered and reported in August 2024, affecting multiple versions of Microsoft Office including Office 2016, Office 2019, Office LTSC 2021, and Microsoft 365 Apps for Enterprise, in both 32-bit and 64-bit editions (CERT-EU Advisory).

The vulnerability is classified as an information disclosure weakness that enables unauthorized actors to access NTLM hashes. It received a CVSS v3.1 base score of 9.1 (CRITICAL) from NIST with a vector string of CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N, while Microsoft assessed it with a score of 6.5 (MEDIUM) and vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N. The vulnerability is tracked under CWE-200 (Exposure of Sensitive Information to an Unauthorized Actor) (NVD).

The vulnerability allows remote attackers to access NTLM hashes, which could potentially lead to NTLM relay attacks or password cracking. The exposure of these hashes could compromise system security and allow unauthorized access to sensitive information (CERT-EU Advisory).

Several mitigation strategies have been recommended: 1) Set the 'Restrict NTLM: Outgoing NTLM traffic to remote servers' group policy to block NTLM traffic from affected systems, 2) Add users to the Protected Users Security Group to restrict NTLM authentication, 3) Block all outbound traffic on TCP port 445 to prevent NTLM traffic from leaving the network. Microsoft has also released security update KB5002570 for affected systems (Microsoft Support).