Detecting Microsoft Office Spoofing Vulnerability (CVE-2024-38200) with ManageEngine Vulnerability Manager Plus!
Hello everyone!
*This forum post will be updated periodically based on the data updated by Microsoft.
The recently identified Microsoft Office (CVE-2024-38200) vulnerability is classified as a zero-day vulnerability. Microsoft has disclosed a critical vulnerability in the Microsoft Office platforms that could allow a remote attacker to obtain NTLM hashes. Identified as CVE-2024-38200, this security vulnerability can cause spoofing that may let unauthorized actors gain access to confidential information.
You can detect this zero-day in your network using Vulnerability Manager Plus by,
- Navigating to the Threats tab -> Zero-day Vulnerabilities view.
Note: Currently, we don't support patching for this vulnerability. You will be able to deploy the patches from Vulnerability Manager Plus console once patches are released by Microsoft.
Microsoft’s Recommended Risk Mitigation Steps:
- Restrict NTLM Traffic: Configure the policy to block, allow, or audit outgoing NTLM traffic from Windows Server 2008 and later to remote servers. This helps prevent or monitor NTLM authentication attempts but may impact compatibility with certain systems.
- Protected Users Group: Add high-value accounts (like Domain Admins) to the Protected Users Security Group to block NTLM authentication. This makes troubleshooting easier but might affect NTLM-dependent applications until the user is removed from the group.
- Block TCP 445/SMB: Use firewalls or VPN settings to block outbound TCP 445/SMB traffic, preventing NTLM authentication messages from reaching remote file shares.
To learn more about the affected Microsoft Office products, please refer to this document,
In case of any queries, kindly contact vulnerabilitymanagerplus-support@manageengine.com