Microsoft Patches Critical Vulnerabilities in NTLM

Microsoft on Tuesday released security patches for nearly 90 vulnerabilities, including two Critical bugs impacting the proprietary authentication protocol NTLM. 

Tracked as CVE-2019-1040 and CVE-2019-1019, the two security issues consist of three logical flaws in NTLM that allow the bypass of all major NTLM protection mechanisms, Preempt’s security researchers reveal. The flaws impact all Windows versions. 

An attacker exploiting these vulnerabilities could execute malicious code on any Windows machine or could authenticate to any HTTP server that supports Windows Integrated Authentication (WIA), including Exchange or ADFS. 

The NTLM protocol is susceptible to relay attacks, which allow attackers to move laterally to other machines via NTLM authentication directed at the compromised server. Microsoft has developed mitigations to prevent such attacks, but Preempt has discovered ways to bypass all the mechanisms. 

One of the mechanisms is Message Integrity Code (MIC), which ensures that NTLM messages are not tampered by attackers, but the security researchers say they were able to modify any field in the NTLM message flow, including the signing requirement. 

“This bypass allows attackers to relay authentication attempts which have negotiated signing to another server while entirely removing the signing requirement. All servers which do not enforce signing are vulnerable,” the researchers explain. 

The SMB Session Signing, which prevents attackers from relaying NTLM authentication messages to establish SMB and DCE/RPC sessions, can be bypassed as well. The attack, Preempt says, allows relaying NTLM authentication requests to any server in the domain, including domain controllers. 

At the same time, the bypass makes it possible to establish a signed session to perform remote code execution, which could lead to full domain compromise, depending on the privileges the user has. All domain environments where NTLM traffic isn’t completely blocked is vulnerable, the researchers say.

Preempt also discovered a way to bypass Enhanced Protection for Authentication (EPA), which prevents attackers from relaying NTLM messages to TLS sessions. The attack can target any server that supports WIA (Windows Integrated Authentication) over TLS and enables the modification of NTLM messages to generate legitimate channel binding information. 

“This can allow attackers to connect to various web servers using the attacked user’s privileges and perform operations such as: read the user’s emails (by relaying to OWA servers) or even connect to cloud resources (by relaying to ADFS servers),” the security researchers explain. 

To stay protected, users should apply available patches, ensure they apply the proper configuration (enforce SMB Signing, block NTLMv1, enforce LDAP/S Signing, and enforce EPA), and reduce NTLM usage by removing NTLM anywhere it is not needed.

Related: Researcher Escalates Privileges on Exchange 2013 via NTLM Relay Attack

Related: PDF Files Can Silently Leak NTLM Credentials