CVE-2024-33865
📋 TL;DR
This vulnerability in linqi Windows versions before 1.4.0.1 allows attackers to leak NTLM hashes through specific API endpoints. Attackers can potentially capture these hashes and attempt to crack them for credential theft. Organizations using vulnerable linqi versions on Windows are affected.
💻 Affected Systems
- linqi
📦 What is this software?
Linqi by Linqi
⚠️ Risk & Real-World Impact
Worst Case
Attackers obtain domain administrator NTLM hashes, crack them offline, and gain full domain compromise leading to data exfiltration, ransomware deployment, or persistent backdoor access.
Likely Case
Attackers capture user NTLM hashes, crack weaker passwords, and gain unauthorized access to systems or data within the linqi environment.
If Mitigated
With proper network segmentation and monitoring, attackers may capture hashes but cannot crack strong passwords or move laterally effectively.
🎯 Exploit Status
The vulnerability appears to be exploitable without authentication via HTTP requests to the vulnerable endpoints.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 1.4.0.1
Vendor Advisory: https://linqi.help/Updates/en#/SecurityUpdates
Restart Required: Yes
Instructions:
1. Download linqi version 1.4.0.1 from official sources. 2. Backup current configuration and data. 3. Stop linqi service. 4. Install the update. 5. Restart linqi service. 6. Verify functionality.
🔧 Temporary Workarounds
Block vulnerable endpoints
windowsUse web application firewall or reverse proxy to block access to /api/Cdn/GetFile and /api/DocumentTemplate/{GUID} endpoints
# Example for IIS URL Rewrite rule
<rule name="Block linqi vulnerable endpoints">
<match url="^api/(Cdn/GetFile|DocumentTemplate/.+)" />
<action type="AbortRequest" />
</rule>
Network segmentation
windowsRestrict access to linqi server to only trusted internal networks
# Windows Firewall example
New-NetFirewallRule -DisplayName "Block linqi external" -Direction Inbound -Protocol TCP -LocalPort 80,443 -RemoteAddress Internet -Action Block
🧯 If You Can't Patch
- Implement strict network segmentation to isolate the vulnerable linqi server from critical systems
- Enable detailed logging and monitoring for requests to the vulnerable endpoints and investigate any suspicious activity
🔍 How to Verify
Check if Vulnerable:
Check linqi version in administration interface or via installed program version. If version is below 1.4.0.1 on Windows, it is vulnerable.Check Version:
Check linqi web interface admin panel or Windows Programs and Features for installed versionVerify Fix Applied:
Confirm linqi version is 1.4.0.1 or higher in administration interface. Test that the vulnerable endpoints no longer leak NTLM authentication.📡 Detection & Monitoring
Log Indicators:
- Unusual HTTP requests to /api/Cdn/GetFile or /api/DocumentTemplate/ endpoints
- Multiple failed authentication attempts following requests to vulnerable endpoints
- Outbound NTLM authentication attempts from linqi server
Network Indicators:
- HTTP traffic to vulnerable endpoints from untrusted sources
- NTLM authentication capture attempts in network traffic
SIEM Query:
source="linqi_logs" AND (uri="/api/Cdn/GetFile" OR uri MATCHES "/api/DocumentTemplate/.+")