CVE-2024-45301
📋 TL;DR
This vulnerability in Mintty terminal emulator allows attackers to force the application to access arbitrary network paths via malicious escape sequences. When exploited, this can leak NetNTLMv2 hashes from the victim's machine to attacker-controlled servers, enabling credential theft and pass-the-hash attacks. Users of Mintty versions 2.3.6 through 3.7.4 on Cygwin, MSYS, or WSL are affected.
💻 Affected Systems
- Mintty
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Attackers capture NetNTLMv2 hashes, crack them offline to obtain credentials, then use pass-the-hash techniques to gain unauthorized access to systems and data.
Likely Case
Attackers capture NetNTLMv2 hashes and use them for lateral movement within networks or attempt offline cracking of weaker passwords.
If Mitigated
With proper network segmentation and monitoring, hash capture is detected and blocked before credential misuse occurs.
🎯 Exploit Status
Exploit requires attacker to trick user into executing malicious commands or viewing crafted content in terminal.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 3.7.5
Vendor Advisory: https://github.com/mintty/mintty/security/advisories/GHSA-jf4m-m6rv-p6c5
Restart Required: Yes
Instructions:
1. Update Mintty to version 3.7.5 or later. 2. Restart all Mintty terminal sessions. 3. Verify update with 'mintty --version'.
🔧 Temporary Workarounds
Disable vulnerable escape sequences
allConfigure Mintty to ignore or sanitize problematic escape sequences
Add 'DisableEscapeSequences=true' to ~/.minttyrc
Network filtering
windowsBlock outbound SMB/NTLM authentication attempts from workstations
🧯 If You Can't Patch
- Restrict network access from Mintty terminals to only trusted internal resources
- Implement application allowlisting to prevent unauthorized Mintty usage
🔍 How to Verify
Check if Vulnerable:
Check Mintty version with 'mintty --version' and compare to affected range 2.3.6-3.7.4Check Version:
mintty --versionVerify Fix Applied:
Confirm version is 3.7.5 or higher with 'mintty --version'📡 Detection & Monitoring
Log Indicators:
- Unexpected SMB authentication attempts from Mintty processes
- Network connections to unusual UNC paths
Network Indicators:
- Outbound SMB traffic from workstations to untrusted IPs
- NetNTLM authentication attempts to external servers
SIEM Query:
source="windows-security" EventCode=4625 AuthenticationPackage=NTLM ProcessName="*mintty*"