Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Vulnerabilities

Microsoft Patches Critical Vulnerabilities in NTLM

Microsoft on Tuesday released security patches for nearly 90 vulnerabilities, including two Critical bugs impacting the proprietary authentication protocol NTLM. 

Microsoft on Tuesday released security patches for nearly 90 vulnerabilities, including two Critical bugs impacting the proprietary authentication protocol NTLM. 

Tracked as CVE-2019-1040 and CVE-2019-1019, the two security issues consist of three logical flaws in NTLM that allow the bypass of all major NTLM protection mechanisms, Preempt’s security researchers reveal. The flaws impact all Windows versions. 

An attacker exploiting these vulnerabilities could execute malicious code on any Windows machine or could authenticate to any HTTP server that supports Windows Integrated Authentication (WIA), including Exchange or ADFS. 

The NTLM protocol is susceptible to relay attacks, which allow attackers to move laterally to other machines via NTLM authentication directed at the compromised server. Microsoft has developed mitigations to prevent such attacks, but Preempt has discovered ways to bypass all the mechanisms. 

One of the mechanisms is Message Integrity Code (MIC), which ensures that NTLM messages are not tampered by attackers, but the security researchers say they were able to modify any field in the NTLM message flow, including the signing requirement. 

“This bypass allows attackers to relay authentication attempts which have negotiated signing to another server while entirely removing the signing requirement. All servers which do not enforce signing are vulnerable,” the researchers explain. 

The SMB Session Signing, which prevents attackers from relaying NTLM authentication messages to establish SMB and DCE/RPC sessions, can be bypassed as well. The attack, Preempt says, allows relaying NTLM authentication requests to any server in the domain, including domain controllers. 

Advertisement. Scroll to continue reading.

At the same time, the bypass makes it possible to establish a signed session to perform remote code execution, which could lead to full domain compromise, depending on the privileges the user has. All domain environments where NTLM traffic isn’t completely blocked is vulnerable, the researchers say.

Preempt also discovered a way to bypass Enhanced Protection for Authentication (EPA), which prevents attackers from relaying NTLM messages to TLS sessions. The attack can target any server that supports WIA (Windows Integrated Authentication) over TLS and enables the modification of NTLM messages to generate legitimate channel binding information. 

“This can allow attackers to connect to various web servers using the attacked user’s privileges and perform operations such as: read the user’s emails (by relaying to OWA servers) or even connect to cloud resources (by relaying to ADFS servers),” the security researchers explain. 

To stay protected, users should apply available patches, ensure they apply the proper configuration (enforce SMB Signing, block NTLMv1, enforce LDAP/S Signing, and enforce EPA), and reduce NTLM usage by removing NTLM anywhere it is not needed.

Related: Researcher Escalates Privileges on Exchange 2013 via NTLM Relay Attack

Related: PDF Files Can Silently Leak NTLM Credentials

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

SecurityWeek’s Threat Detection and Incident Response Summit brings together security practitioners from around the world to share war stories on breaches, APT attacks and threat intelligence.

Register

Securityweek’s CISO Forum will address issues and challenges that are top of mind for today’s security leaders and what the future looks like as chief defenders of the enterprise.

Register

Expert Insights

Related Content

Vulnerabilities

Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Data Breaches

OpenAI has confirmed a ChatGPT data breach on the same day a security firm reported seeing the use of a component affected by an...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...

Vulnerabilities

The latest Chrome update brings patches for eight vulnerabilities, including seven reported by external researchers.

Vulnerabilities

Patch Tuesday: Microsoft warns vulnerability (CVE-2023-23397) could lead to exploitation before an email is viewed in the Preview Pane.

Vulnerabilities

Apple has released updates for macOS, iOS and Safari and they all include a WebKit patch for a zero-day vulnerability tracked as CVE-2023-23529.

IoT Security

A group of seven security researchers have discovered numerous vulnerabilities in vehicles from 16 car makers, including bugs that allowed them to control car...

IoT Security

A vulnerability affecting Dahua cameras and video recorders can be exploited by threat actors to modify a device’s system time.