Connect with us

Hi, what are you looking for?



Microsoft Patches Critical Vulnerabilities in NTLM

Microsoft on Tuesday released security patches for nearly 90 vulnerabilities, including two Critical bugs impacting the proprietary authentication protocol NTLM. 

Microsoft on Tuesday released security patches for nearly 90 vulnerabilities, including two Critical bugs impacting the proprietary authentication protocol NTLM. 

Tracked as CVE-2019-1040 and CVE-2019-1019, the two security issues consist of three logical flaws in NTLM that allow the bypass of all major NTLM protection mechanisms, Preempt’s security researchers reveal. The flaws impact all Windows versions. 

An attacker exploiting these vulnerabilities could execute malicious code on any Windows machine or could authenticate to any HTTP server that supports Windows Integrated Authentication (WIA), including Exchange or ADFS. 

The NTLM protocol is susceptible to relay attacks, which allow attackers to move laterally to other machines via NTLM authentication directed at the compromised server. Microsoft has developed mitigations to prevent such attacks, but Preempt has discovered ways to bypass all the mechanisms. 

One of the mechanisms is Message Integrity Code (MIC), which ensures that NTLM messages are not tampered by attackers, but the security researchers say they were able to modify any field in the NTLM message flow, including the signing requirement. 

“This bypass allows attackers to relay authentication attempts which have negotiated signing to another server while entirely removing the signing requirement. All servers which do not enforce signing are vulnerable,” the researchers explain. 

The SMB Session Signing, which prevents attackers from relaying NTLM authentication messages to establish SMB and DCE/RPC sessions, can be bypassed as well. The attack, Preempt says, allows relaying NTLM authentication requests to any server in the domain, including domain controllers. 

Advertisement. Scroll to continue reading.

At the same time, the bypass makes it possible to establish a signed session to perform remote code execution, which could lead to full domain compromise, depending on the privileges the user has. All domain environments where NTLM traffic isn’t completely blocked is vulnerable, the researchers say.

Preempt also discovered a way to bypass Enhanced Protection for Authentication (EPA), which prevents attackers from relaying NTLM messages to TLS sessions. The attack can target any server that supports WIA (Windows Integrated Authentication) over TLS and enables the modification of NTLM messages to generate legitimate channel binding information. 

“This can allow attackers to connect to various web servers using the attacked user’s privileges and perform operations such as: read the user’s emails (by relaying to OWA servers) or even connect to cloud resources (by relaying to ADFS servers),” the security researchers explain. 

To stay protected, users should apply available patches, ensure they apply the proper configuration (enforce SMB Signing, block NTLMv1, enforce LDAP/S Signing, and enforce EPA), and reduce NTLM usage by removing NTLM anywhere it is not needed.

Related: Researcher Escalates Privileges on Exchange 2013 via NTLM Relay Attack

Related: PDF Files Can Silently Leak NTLM Credentials

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join security experts as they discuss ZTNA’s untapped potential to both reduce cyber risk and empower the business.


Join Microsoft and Finite State for a webinar that will introduce a new strategy for securing the software supply chain.


Expert Insights

Related Content


Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Data Breaches

OpenAI has confirmed a ChatGPT data breach on the same day a security firm reported seeing the use of a component affected by an...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...

IoT Security

A group of seven security researchers have discovered numerous vulnerabilities in vehicles from 16 car makers, including bugs that allowed them to control car...


Patch Tuesday: Microsoft warns vulnerability (CVE-2023-23397) could lead to exploitation before an email is viewed in the Preview Pane.


The latest Chrome update brings patches for eight vulnerabilities, including seven reported by external researchers.


A researcher at IOActive discovered that home security systems from SimpliSafe are plagued by a vulnerability that allows tech savvy burglars to remotely disable...


Patch Tuesday: Microsoft calls attention to a series of zero-day remote code execution attacks hitting its Office productivity suite.