Vulnerabilities in NTLM recently discovered by security provider Preempt could allow attackers to remotely execute malicious code on any Windows machine or authenticate to any web server that supports Windows Integrated Authentication.
Microsoft’s NTLM (NT LAN Manager) is an older and now outdated security protocol that authenticates user credentials in a Windows domain. Though Microsoft has long since replaced NTLM with Kerberos as the default authentication method for Active Directory, the company still supports the older protocol, while recommending that customers adopt Kerberos instead.
As we all know, even though a technology or protocol is old, outdated, or no longer recommended, that doesn’t mean organizations no longer use it. The problem is that NTLM is continually plagued by security holes. In a report released on Tuesday, security provider Preempt describes the latest flaws and offers advice on how to protect your network against them.
In its report, Preempt said that it recently uncovered two critical Microsoft vulnerabilities based on three logical flaws in NTLM. These vulnerabilities could allow attackers to remotely execute malicious code on any Windows machine or authenticate to any web server that supports Windows Integrated Authentication (WIA), such as Exchange or ADFS. Preempt’s research indicates that all versions of Windows are susceptible to these flaws.
One major pitfall in NTLM is that it’s open to relay attacks, the report noted, a process that lets attackers capture an authentication on one server and then relay it to another server, opening the door for them to control the remote server using those same credentials.
Microsoft has developed several fixes to prevent NTLM relay attacks, but attackers can find ways to bypass them via the following three logical flaws:
- The Message Integrity Code (MIC) field tries to prevent attackers from tampering with NTLM messages. However, Preempt researchers discovered that attackers can remove the MIC protection and change certain fields used by the NTLM authentication.
- SMB Session Signing prevents attackers from relaying NTLM authentication messages as a way to establish SMB and DCE/RPC sessions. But Preempt found that attackers can relay NTLM authentication requests to any server in a domain, including domain controllers, and create a signed session to execute code on a remote machine. If the relayed authentication contains the credentials for a privileged user, the entire domain could be at risk.
- Enhanced Protection for Authentication (EPA) prevents attackers from relaying NTLM messages to TLS sessions. But Preempt discovered that attackers could modify NTLM messages to generate legitimate channel binding information. Such attackers could then connect to web servers in the domain by using a user’s credentials, thus allowing them to read the user’s emails by relaying to an Outlook Web Access server or connecting to cloud resources by relaying to an (ADFS) Active Directory Federation Services server.
On Tuesday, Microsoft will be issuing two patches to try to shore up these latest security holes in NTLM. Beyond urging organizations to patch vulnerable systems with these new updates, Preempt offers other pieces of advice.
Make sure that all workstations and servers are properly patched with Microsoft’s latest updates. Look for Microsoft’s CVE-2019-1040 and CVE-2019-1019 on Patch Tuesday, June 11. But patching by itself isn’t enough, according to Preempt, which also recommends several configuration tweaks.
- Enforce SMB Signing. To prevent attackers from launching simpler NTLM relay attacks, turn on SMB Signing on all networked machines.
- Block NTLMv1. Since NTLMv1 is considered unsecure, Preempt advises organizations to block it completely through the appropriate group policy setting.
- Enforce LDAP/S Signing. To prevent NTLM relay in LDAP, enforce LDAP signing and LDAPS channel binding on domain controllers.
- Enforce EPA. To prevent NTLM relay on web servers, harden all web servers (OWA, ADFS) to accept only requests with EPA.
“Even though NTLM Relay is an old technique, enterprises cannot completely eliminate the use of the protocol as it will break many applications. Hence it still poses a significant risk to enterprises, especially with new vulnerabilities discovered constantly,” Roman Blachman, Preempt’s CTO and co-founder, said in a press release. “Companies need to first and foremost ensure all of their Windows systems are patched and securely configured. In addition, organizations can further protect their environments by gaining network NTLM visibility.”