Two vulnerabilities in Microsoft’s NTLM network authentication protocol allow bypassing of protection with the help of an insert, rollback of NTLM security functions to earlier versions and lead to domain compromise.
Microsoft fixed the issues and released corresponding notifications as part of the “Tuesday updates” on October 8.Windows NT (New Technology) LAN Manager (NTLM) is a client/server request and response authentication protocol used to authenticate remote users and ensure session security. Its successor is the Kerberos network authentication protocol, which is used by default for all versions of Windows after Windows 2000. Although Kerberos is used more often, NTLM is still enabled in many companies.
Preempt researchers Yaron Zinar and Maryna Simakova found that the aforementioned vulnerabilities could be exploited for a relay attack, which in some cases could completely compromise the network and all Active Directory users with factory settings.
Vulnerability CVE-2019-1166 affects all versions of Windows and all servers for which the presence of a digital signature is not obligatory.
“This bypass allows attackers to relay authentication attempts which have successfully negotiated signing to another server, while tricking the server to entirely ignore the signing requirement”, — report researchers.
The vulnerability CVE-2019-1338 affects Windows 7 SP1, Windows 2008, and Windows 2008 R2.
Read also: Foxit PDF Reader developers fixed 8 critical vulnerabilities
A relay attack is a hacking technique similar to a man in the middle attack and a replay attack. In the classic “man in the middle” attack, the attacker intercepts and manipulates the traffic transmitted from one side to the other. In a classic relay attack, the attacker himself initiates the transmission of traffic from both sides, and then simply replays the messages between the two sides, without manipulating or even reading them, and initiates the transmission of traffic from both sides.
How can you protect your network? (Recommendations from Preempt)
- Enforce NTLM mitigations. In order to be fully protected from NTLM relay attacks you will need to enable server signing and EPA on all relevant servers.
- Patch! Make sure your systems are fully protected with the latest security updates.
- Apply advanced NTLM relay detection and prevention techniques similar to the ones disclosed by Preempt in our Black Hat 2019 talk (a free encore presentation can be found here).
- Some NTLM clients use weak NTLM variations (e.g., don’t send a MIC). This puts your network at a greater risk of being vulnerable to NTLM relay. Monitor NTLM traffic in your network and try to restrict insecure NTLM traffic.
- Get rid of clients sending LM responses and set the GPO Network security: LAN Manager authentication level to refuse LM responses.
- NTLM is not recommended to use in general as it poses some security concerns:NTLM relay, brute forcing, and other vulnerabilities.
