Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Vulnerabilities

Microsoft Patches Critical Vulnerabilities in NTLM

Microsoft on Tuesday released security patches for nearly 90 vulnerabilities, including two Critical bugs impacting the proprietary authentication protocol NTLM. 

Microsoft on Tuesday released security patches for nearly 90 vulnerabilities, including two Critical bugs impacting the proprietary authentication protocol NTLM. 

Tracked as CVE-2019-1040 and CVE-2019-1019, the two security issues consist of three logical flaws in NTLM that allow the bypass of all major NTLM protection mechanisms, Preempt’s security researchers reveal. The flaws impact all Windows versions. 

An attacker exploiting these vulnerabilities could execute malicious code on any Windows machine or could authenticate to any HTTP server that supports Windows Integrated Authentication (WIA), including Exchange or ADFS. 

The NTLM protocol is susceptible to relay attacks, which allow attackers to move laterally to other machines via NTLM authentication directed at the compromised server. Microsoft has developed mitigations to prevent such attacks, but Preempt has discovered ways to bypass all the mechanisms. 

One of the mechanisms is Message Integrity Code (MIC), which ensures that NTLM messages are not tampered by attackers, but the security researchers say they were able to modify any field in the NTLM message flow, including the signing requirement. 

“This bypass allows attackers to relay authentication attempts which have negotiated signing to another server while entirely removing the signing requirement. All servers which do not enforce signing are vulnerable,” the researchers explain. 

The SMB Session Signing, which prevents attackers from relaying NTLM authentication messages to establish SMB and DCE/RPC sessions, can be bypassed as well. The attack, Preempt says, allows relaying NTLM authentication requests to any server in the domain, including domain controllers. 

At the same time, the bypass makes it possible to establish a signed session to perform remote code execution, which could lead to full domain compromise, depending on the privileges the user has. All domain environments where NTLM traffic isn’t completely blocked is vulnerable, the researchers say.

Advertisement. Scroll to continue reading.

Preempt also discovered a way to bypass Enhanced Protection for Authentication (EPA), which prevents attackers from relaying NTLM messages to TLS sessions. The attack can target any server that supports WIA (Windows Integrated Authentication) over TLS and enables the modification of NTLM messages to generate legitimate channel binding information. 

“This can allow attackers to connect to various web servers using the attacked user’s privileges and perform operations such as: read the user’s emails (by relaying to OWA servers) or even connect to cloud resources (by relaying to ADFS servers),” the security researchers explain. 

To stay protected, users should apply available patches, ensure they apply the proper configuration (enforce SMB Signing, block NTLMv1, enforce LDAP/S Signing, and enforce EPA), and reduce NTLM usage by removing NTLM anywhere it is not needed.

Related: Researcher Escalates Privileges on Exchange 2013 via NTLM Relay Attack

Related: PDF Files Can Silently Leak NTLM Credentials

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this event as we dive into threat hunting tools and frameworks, and explore value of threat intelligence data in the defender’s security stack.

Register

Learn how integrating BAS and Automated Penetration Testing empowers security teams to quickly identify and validate threats, enabling prompt response and remediation.

Register

People on the Move

DARPA veteran Dan Kaufman has joined Badge as SVP, AI and Cybersecurity.

Kelly Shortridge has been promoted to VP of Security Products at Fastly.

After the passing of Amit Yoran, Tenable has appointed Steve Vintz and Mark Thurmond as co-CEOs.

More People On The Move

Expert Insights

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest cybersecurity news, threats, and expert insights. Unsubscribe at any time.