Alert essentials:
Apply 2024-11 cumulative update to all Microsoft Windows devices to fix hash disclosure.
Detailed threat description:
MSHTML is a dynamic link library (DLL) file that is an essential Windows operating system component. It is an HTML viewer responsible for rendering and displaying HTML content in various applications, including web browsers, email clients, and other software that utilizes HTML rendering.
Recently, a vulnerability involving NTLM hash disclosure has been reported in MSHTML, accompanied by a proof-of-concept exploit.
User interaction is required before this exploit can authenticate an attacker as a legitimate user across all supported versions of Microsoft Windows.
Although Microsoft has retired Internet Explorer, the fix for MSHTML can be found in the cumulative update for Internet Explorer released in November rather than in a standalone security patch.
CVE-2024-43451 has been added to CISA’s Known Exploited Vulnerabilities list and is being actively exploited in the wild as a zero-day vulnerability.
Impacts on healthcare organizations:
The repercussions of such a vulnerability are amplified in healthcare settings due to the sensitivity of patient data and the critical nature of healthcare operations.
Attackers could gain network access, enabling lateral movement to sensitive systems and disrupting essential medical devices, administrative systems, and patient data integrity, increasing the risk of identity theft or ransomware incidents.
Mitigating this vulnerability in healthcare requires prompt patching, especially for systems using legacy authentication protocols. Additionally, organizations should implement security measures like user training, network segmentation, and monitoring for unusual file interactions to reduce exploitation risks.
Affected Products / Versions:
Impacts all Microsoft workstations and servers
CVE
CVE-2024-43451
KBs
KB5046612, KB5046613, KB5046615, KB5046616, KB5046617, KB5046696, KB5046682, KB5046630, KB5046697, KB5046687, KB5046705, KB5046661, KB5046639, KB5046665, KB5046618, KB5046633
Twelve Tenable plugins are currently available to address CVE-2024-43451; the reference is found below.
Recommendations
Engineering recommendations:
- Apply patches to impacted systems
- To stay fully protected, customers who install Security-Only updates should also install the IE Cumulative updates for this vulnerability
- If the regular security cumulative update is installed, then the installation of the IE CU or Security-Only update is not necessary
- Restrict access to sensitive systems and applications to minimize damage in case of unauthorized access
- Track unusual access patterns and NTLM-related traffic for anomalies that could suggest an attempted exploit
Leadership/ Program recommendations:
- This vulnerability presents a significant risk, as attackers could impersonate the affected user, leading to unauthorized access across systems
- Consider multi-factor authentication (MFA) for critical systems, making it harder for attackers to exploit captured credentials
- Educate your staff on avoiding unexpected or suspicious files, especially from unknown sources, as this vulnerability relies on user interaction with a malicious file
Fortified recommends applying patches and updates where possible and only after adequate testing in a development environment to ensure stability and compliance with organizational change management policies.
References:
- Microsoft patches for CVE-2024-43451: https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2024-43451
- Tenable plugins for CVE-2024-43451: https://www.tenable.com/plugins/search?q=%22CVE-2024-43451%22&sort=&page=1
- https://www.zerodayinitiative.com/blog/2024/11/12/the-november-2024-security-update-review
