Advisory Overview
NTLM is one of several methods that can be used to authenticate and confirm the identity of a user within a Windows-based network. Two flaws in NTLM were recently found which could allow an attacker to trick NTLM into believing that the attacker is a legitimate user and allow them to access systems, gain privileges, and steal data. One of the two vulnerabilities exists in all versions of Windows, meaning an attacker could use this vulnerability to gain additional access to Domain security itself and increase the overall compromise. The other vulnerability only exists in Windows 7 and earlier on desktops/laptops, and Server 2008 R2 and earlier on servers. Patches to stop this form of attack were released by Microsoft – contact your IT department or Managed Service Provider to ensure these patches are applied.
Technical detail and additional information
Both vulnerabilities can bypass Microsoft NTLM relay attack mitigations and allow for the attacker to downgrade Windows NT (New Technology) LAN Manager (NTLM) security, allowing for invalid confirmation of identity and granting invalid access to systems and data. If the exploits succeed against Domain Controllers or other sensitive systems, this access could lead to Domain compromise. NTLM is a client/server authentication protocol which authenticates users between servers and desktops; but has been mostly replaced with more recent authentication methods such as Kerberos. In addition, it provides session security for certain application protocols. While most newer Windows networks (versions above Windows 2000) use Kerberos, NTLM is enabled by default on all Windows desktop/laptop and server versions except for Domain Controllers; though it may be enabled on Domain Controllers if required for legacy authentication.
What is the threat?
The first vulnerability allows for a man-in-the-middle attacker to bypass NTLM’s MIC (Message Integrity Check), which protects against NTLM message tampering. If successful, the attacker can downgrade NTLM security. All versions of Windows are susceptible to this attack. Microsoft has patched this vulnerability as part of their October’s Patch Tuesday: CVE-2019-1166.
The second vulnerability allows for a man-in-the-middle attacker to bypass NTLMv2 protection if the client is sending LMv2 responses. NTLM’s MIC protections are ineffective. If successful, the attacker can downgrade NTLM security. This affects Windows 7 SP1, Windows Server 2008 and Windows Server 2008 R2 machines. Microsoft has patched this vulnerability as part of their October’s Patch Tuesday: CVE-2019-1338.
Why is this noteworthy?
All Microsoft Windows customers are vulnerable to at least one of the two attacks. Customers who have enabled NTLM authentication on Domain Controllers (the default for Server 2008 R2 and earlier) are especially vulnerable to Domain compromise. While NTLM is a legacy protocol, disabling it entirely is not always an option since that would break compatibility with legacy applications. It therefore can be found active even in networks that have no servers or desktops prior to Windows 8 and/or Server 2012.
What is the exposure or risk?
While NTLM is a now-superseded authentication method, it is still enabled by default on all Windows desktops and servers except for Domain Controllers. One of the two vulnerabilities is known to be exploitable even on modern versions of Windows. As Domain Controllers can have NTLM enabled to facilitate legacy authentication, it is critical to ensure that NTLM is disabled and/or the appropriate patches are applied immediately to avoid Domain compromise. The vulnerabilities can allow an attacker to fraudulently authenticate to a vulnerable system, including sensitive data systems, Outlook Web Access, and Active Directory servers where NTLM is enabled. Such authentication can lead to data leaks/breaches and also allow for the creation of new credentials that can permit privilege escalation for further access and – in extreme cases – Domain takeover and compromise.
What are the recommendations?
Microsoft has patched both vulnerabilities as part of their October’s Patch Tuesday: CVE-2019-1338and CVE-2019-1166. Both patches should be applied at the earliest possible time, if they have not already been applied to all systems.
References:
For more in-depth information about the recommendations, please visit the following link(s):
· https://www.preempt.com/blog/drop-the-mic-2-active-directory-open-to-more-ntlm-attacks
If you have any questions, please contact our Security Operations Center.
