Windows 10 News and info | Forum
July 07, 2020, Loading... *
Welcome, Guest. Please login or register.

Login with username, password and session length
News: This is a clean Ad-free Forum and protected by StopForumSpam, Project Honeypot, Botscout and AbuseIPDB | This forum does not use audio ads, popups, or other annoyances. New member registration currently disabled.
  Website   Home   Windows 8 Website GDPR Help Login Register  
By continuing to use the site or forum, you agree to the use of cookies, find out more by reading our GDPR policy.
Pages: [1]
Share this topic on Del.icio.usShare this topic on DiggShare this topic on FacebookShare this topic on GoogleShare this topic on MySpaceShare this topic on RedditShare this topic on StumbleUponShare this topic on TechnoratiShare this topic on TwitterShare this topic on YahooShare this topic on Google buzz
Author Topic: Critical Microsoft NTLM vulnerabilities allow remote code on any Windows machine  (Read 123 times)
Hero Member
Offline Offline

Gender: Male
United States United States

Posts: 31566

I Do Windows

WWW Email
« on: June 12, 2019, 12:44:20 AM »

The Preempt research team found two critical Microsoft vulnerabilities that consist of three logical flaws in NTLM, the company’s proprietary authentication protocol.

These vulnerabilities allow attackers to remotely execute malicious code on any Windows machine or authenticate to any web server that supports Windows Integrated Authentication (WIA) such as Exchange or ADFS.

The research shows that all Windows versions are vulnerable.

The flaws allow attackers to bypass existing mitigations

NTLM is susceptible to replay attacks, which allows actors to capture an authentication and relay it to another server, granting them the ability to perform operations on the remote server using the authenticated user’s privileges. NTLM Relay is one of the most common attack techniques used in Active Directory environments, where the attacker compromises one machine, then moves laterally to other machines by using NTLM authentication directed at the compromised server.

click to enlarge
Microsoft previously developed several mitigations for preventing NTLM relay attacks, but Preempt researchers discovered those mitigations have the following exploitable flaws:

The Message Integrity Code (MIC) field ensures that attackers do not tamper NTLM messages. The bypass discovered by Preempt researchers allows attackers to remove the ‘MIC’ protection and modify various fields in the NTLM authentication flow, such as signing negotiation.

SMB Session Signing prevents attackers from relaying NTLM authentication messages to establish SMB and DCE/RPC sessions. The bypass enables attackers to relay NTLM authentication requests to any server in the domain, including domain controllers while establishing a signed session to perform remote code execution. If the relayed authentication is of a privileged user, this means full domain compromise.

Enhanced Protection for Authentication (EPA) prevents attackers from relaying NTLM messages to TLS sessions. The bypass allows attackers to modify NTLM messages to generate legitimate channel binding information. This allows attackers to connect to various web servers using the attacked user’s privileges and perform operations such as: read the user’s emails (by relaying to OWA servers) or even connect to cloud resources (by relaying to ADFS servers).

“Even though NTLM Relay is an old technique, enterprises cannot completely eliminate the use of the protocol as it will break many applications. Hence it still poses a significant risk to enterprises, especially with new vulnerabilities discovered constantly,” stated Roman Blachman, CTO, Preempt. “Companies need to first and foremost ensure all of their Windows systems are patched and securely configured. In addition, organizations can further protect their environments by gaining network NTLM visibility. Preempt works with its customers to ensure they have this visibility and the best protection possible.”

Protection strategies

1. Patch – Make sure that workstations and servers are properly patched. However, it is important to note that patching alone is not enough, companies also need to make configuration changes in order to be fully protected.

2. Configure

   • Enforce SMB Signing – To prevent attackers from launching simpler NTLM relay attacks, turn on
   • SMB Signing on all machines in the network.

   • Block NTLMv1 – Since NTLMv1 is considered significantly less secure; it is recommended to
     completely block it by setting the appropriate GPO.

   • Enforce LDAP/S Signing – To prevent NTLM relay in LDAP, enforce LDAP signing and LDAPS
     channel binding on domain controllers.

   • Enforce EPA – To prevent NTLM relay on web servers, harden all web servers (OWA, ADFS) to
     accept only requests with EPA.

3. Reduce NTLM usage – Even with fully secured configuration and patched servers, NTLM poses a significantly greater risk than Kerberos. It is recommended that you remove NTLM where it is not needed.

As of June 11, 2019, Microsoft has issued CVE-2019-1040 and CVE-2019-1019 on Patch Tuesday per Preempt’s responsible disclosure of the NTLM vulnerabilities.

« Last Edit: June 12, 2019, 12:45:35 AM by javajolt » Logged

Pages: [1]
Jump to:  

Powered by SMF 1.1.21 | SMF © 2017, Simple Machines

Google visited last this page May 28, 2020, 02:51:12 PM