Security researchers have discovered two critical Microsoft vulnerabilities that consist of three logical flaws in NTLM (short for NT LAN Manager), the company’s proprietary authentication protocol.
In a series of blog posts, researchers at Preempt said that the vulnerabilities allow attackers to remotely execute malicious code on any Windows machine or authenticate to any web server that supports Windows Integrated Authentication (WIA) such as Exchange or ADFS. The research shows that all Windows versions are vulnerable.
They said that NTLM is susceptible to relay attacks, which allows actors to capture an authentication and relay it to another server, granting them the ability to perform operations on the remote server using the authenticated user’s privileges.
NTLM Relay is one of the most common attack techniques used in Active Directory environments, where the attacker compromises one machine, then moves laterally to other machines by using NTLM authentication directed at the compromised server, according to researchers.
Microsoft previously developed several mitigations for preventing NTLM relay attacks. Preempt researchers discovered those mitigations have the following flaws which can be exploited by attackers.
The first is the Message Integrity Code (MIC) field which ensures that attackers do not tamper NTLM messages. The bypass discovered by Preempt researchers allows attackers to remove the ‘MIC’ protection and modify various fields in the NTLM authentication flow, such as signing negotiation.
The second flaw is in SMB Session Signing which prevents attackers from relaying NTLM authentication messages to establish SMB and DCE/RPC sessions. The bypass discovered by Preempt researchers enables attackers to relay NTLM authentication requests to any server in the domain, including domain controllers, while establishing a signed session to perform remote code execution. If the relayed authentication is of a privileged user, this means full domain compromise.
Lastly, Windows Enhanced Protection for Authentication (EPA) prevents attackers from relaying NTLM messages to TLS sessions. The bypass discovered by Preempt researchers allows attackers to modify NTLM messages to generate legitimate channel binding information. This allows attackers to connect to various web servers using the attacked user’s privileges and perform operations such as: read the user’s emails (by relaying to OWA servers) or even connect to cloud resources (by relaying to ADFS servers).
"Even though NTLM Relay is an old technique, enterprises cannot completely eliminate the use of the protocol as it will break many applications. Hence it still poses a significant risk to enterprises, especially with new vulnerabilities discovered constantly," stated Roman Blachman, CTO and co-founder at Preempt, "Companies need to first and foremost ensure all of their Windows systems are patched and securely configured. In addition, organisations can further protect their environments by gaining network NTLM visibility. Preempt works with its customers to ensure they have this visibility and the best protection possible."
Javvad Malik, security awareness advocate at KnowBe4, told SC Media UK that for this vulnerability, as with most Microsoft vulnerabilities, it is best to have the latest patches deployed. Additionally, the infrastructure should be kept in a hardened state, this means turning off any unnecessary, insecure, or outdated protocols and services.
"It's also worth bearing in mind that many vulnerabilities need a trigger point for an attacker to gain a foothold in the network. Many times this boils down to a phishing email or some other mechanism to entice a user to carry out a task to allow an attacker access. Therefore, keeping users aware of the threats and knowing how to recognise phishing or other social engineering attacks is always a good security investment," he said.
Is Zero Trust really achievable given the complexity in finance service organisations?
Brought to you in partnership with Forescout