Security Experts:

Connect with us

Hi, what are you looking for?



Microsoft Patches LDAP Relay Vulnerability in NTLM

Microsoft resolved over 50 bugs with its July 2017 set of security patches, one being a vulnerability where the Lightweight Directory Access Protocol (LDAP) wasn’t protected from Microsoft NT LAN Manager (NTLM) relay.

Microsoft resolved over 50 bugs with its July 2017 set of security patches, one being a vulnerability where the Lightweight Directory Access Protocol (LDAP) wasn’t protected from Microsoft NT LAN Manager (NTLM) relay.

Discovered by the Preempt research team, the LDAP relay attack could be exploited by a hacker to create new domain administrator accounts even when best-practice controls are enabled. A similar attack can be performed by exploiting a RDP relay flaw in NTLM, the security researchers said.

Consisting of a series of security protocols aimed at offering authentication, integrity, and confidentiality, NTLM relay is one of the main attack vectors for hackers and pen-testers, Preempt argues.

The basic manner in which NTLM works is that the user encrypts a server-issued challenge with their password hash to establish a connection. An attacker able to use the challenge in a parallel session with the server needs to forward “the same encrypted hash to create a successful NTLM authentication” and use this to open a session (such as SMB) and infect the target system with malware.

Countermeasures preventing NTLM credential relay include SMB signing – where a derived session key is used to digitally sign all incoming packets, thus preventing server exploitation even if the NTLM session was relayed; and Enhanced Protection for Authentication (EPA) – where the client signs an element of the TLS session with the derived session key, thus protecting the server from credential relaying.

“LDAP protocol is used in Active Directory to query and update all domain objects. There is a special configuration in the Group Policy Object (GPO) – Domain Controller: LDAP server signing requirements. When this GPO is set to Require Signing the domain controller rejects LDAP sessions that are not either digitally signed with a derived session key or the entire session is encrypted over TLS (LDAPS),” Preempt’s Yaron Zinar explains.

Tracked as CVE-2017-8563, the vulnerability resides in LDAPS not having protection for credential forwarding, although it does protect from Man-in-the-Middle (MitM) attacks, the same as LDAP signing.

“This allows an attacker with SYSTEM privileges on a machine to use any incoming NTLM session and perform the LDAP operations on behalf of the NTLM user,” Zinar notes.

Because all Windows protocols use the Windows Authentication API (SSPI), which allows for authentication sessions to be downgraded to NTLM, “every connection to an infected machine (SMB, WMI, SQL, HTTP) with a domain admin would result in the attacker creating a domain admin account and getting full control over the attacked network,” the researcher notes.

The second vulnerability Preempt discovered resides in RDP Restricted-Admin, a protocol that allows users to connect to remote machines revealing their password to the machine. RDP Restricted-Admin, the researchers say, allows downgrade to NTLM in the authentication negotiation, meaning that attacks that can be performed with NTLM can be carried out against RDP Restricted-Admin.

“As RDP Restricted-Mode is often used by support technicians with elevated privileges to access remote machines, this puts their credentials at risk of being compromised. Furthermore, when combined with the first LDAP relay issue, this means that each time an admin connected with RDP Restricted-Admin an attacker was able to create a rogue domain admin,” Zinar says.

Although RDP Restricted-Mode was previously found to allow attackers to connect to remote machines using pass-the-hash, Microsoft told Preempt that the vulnerability was a known issue, and “recommended configuring network to be safe from any sort of NTLM relay.”

Related: Microsoft Patches Over 50 Vulnerabilities

Related: Microsoft Patches Several Malware Protection Engine Flaws

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Expert Insights

Related Content

Mobile & Wireless

Technical details published for an Arm Mali GPU flaw leading to arbitrary kernel code execution and root on Pixel 6.

Mobile & Wireless

Apple rolled out iOS 16.3 and macOS Ventura 13.2 to cover serious security vulnerabilities.

Cloud Security

VMware vRealize Log Insight vulnerability allows an unauthenticated attacker to take full control of a target system.

Mobile & Wireless

Apple’s iOS 12.5.7 update patches CVE-2022-42856, an actively exploited vulnerability, in old iPhones and iPads.

Mobile & Wireless

Two vulnerabilities in Samsung’s Galaxy Store that could be exploited to install applications or execute JavaScript code by launching a web page.


Security researchers have observed an uptick in attacks targeting CVE-2021-35394, an RCE vulnerability in Realtek Jungle SDK.


Several vulnerabilities have been patched in OpenText’s enterprise content management (ECM) product.

Application Security

Drupal released updates that resolve four vulnerabilities in Drupal core and three plugins.