Microsoft is facing another significant vulnerability in one of its services. Security researchers have discovered a major flaw in the company’s NTLM authentication protocol. The bug could allow attackers to run remote code execution on an infected Windows machine.
Furthermore, bad actors could control a web server that supports Windows Integrated Authentication (WIA). Discovered by the Preempt team, which says all versions of Windows are at risk.
Unfortunately, Microsoft’s existing mitigations do not protect against the NTLM Relay flaw. Preempt says the NTLM Relay is becoming among the most used attack methods for exploiting Active Directory infrastructure.
Below are Microsoft’s existing mitigations and the reasons they don’t prevent NTLM Relay attacks:
Message Integrity Code (MIC) was created to stop bad actors from meddling with NTLM messages. The new attack method can bypass MIC and give attackers the ability to remove the mitigation.
SMB Session Signing was created to stop NTLM Relay attacks for authenticating SMB and DCE/RPC sessions. Attackers can bypass SMB Session Signing to move NTLM authentication to any server and establish signed session for remote execution.
Enhanced Protection for Authentication (EPA) was designed to stop attacked from relaying NTLM messages to TLS sessions. The attack bypass discovered by Preempt gives the hackers the ability to modify NTLM messages and create legitimate information.
Fix
Adhering to standard disclosure practices, the company has informed Microsoft responsibly. During Patch Tuesday yesterday, Microsoft rolled out CVE-2019-1040 and CVE-2019-1019 to fix the problem.
Here’s how to deal with the issue:
- Patch – Make sure that workstations and servers are properly patched.
- Configure
- Enforce SMB Signing – To prevent attackers from launching simpler NTLM relay attacks, turn on SMB Signing on all machines in the network.
- Block NTLMv1 – Since NTLMv1 is considered significantly less secure; it is recommended to completely block it by setting the appropriate GPO.
- Enforce LDAP/S Signing – To prevent NTLM relay in LDAP, enforce LDAP signing and LDAPS channel binding on domain controllers.
- Enforce EPA – To prevent NTLM relay on web servers, harden all web servers (OWA, ADFS) to accept only requests with EPA.
3. Reduce NTLM usage – Even with fully secured configuration and patched servers, NTLM poses a significantly greater risk than Kerberos. It is recommended that you remove NTLM where it is not needed.
