As part of this month’s Patch Tuesday, Microsoft has released security patches for a serious privilege escalation vulnerability which affect all versions of its Windows operating system for enterprises released since 2007.
Researchers at behavioral firewall specialist Preempt discovered two zero-day vulnerabilities in Windows NTLM security protocols, both of which allow attackers to create a new domain administrator account and get control of the entire domain.
NT LAN Manager (NTLM) is an old authentication protocol used on networks that include systems running the Windows operating system and stand-alone systems.
Although NTLM was replaced by Kerberos in Windows 2000 that adds greater security to systems on a network, NTLM is still supported by Microsoft and continues to be used widely.
The first vulnerability involves unprotected Lightweight Directory Access Protocol (LDAP) from NTLM relay, and the second impact Remote Desktop Protocol (RDP) Restricted-Admin mode.
LDAP fails to adequately protect against NTLM relay attacks, even when it has built-in LDAP signing the defensive measure, which only protects from man-in-the-middle (MitM) attacks and not from credential forwarding at all.
The vulnerability could allow an attacker with SYSTEM privileges on a target system to use incoming NTLM sessions and perform the LDAP operations, like updating domain objects, on behalf of the NTLM user.
“To realize how severe this issue is, we need to realize all Windows protocols use the Windows Authentication API (SSPI) which allows downgrade of an authentication session to NTLM,” Yaron Zinar from Preempt said in a blog post, detailing the vulnerability.
“As a result, every connection to an infected machine (SMB, WMI, SQL, HTTP) with a domain admin would result in the attacker creating a domain admin account and getting full control over the attacked network.”
Video Demonstration of Relay Attack
Preempt researchers also provided a video to demonstrate credential relay attacks.
The second NTLM vulnerability affects Remote Desktop Protocol Restricted-Admin mode – this RDP Restricted-Admin mode allows users to connect to a remote computer without giving their password.
According to Preempt researchers, RDP Restricted-Admin allows authentication systems to downgrade to NTLM. This means the attacks performed with NTLM, such as credential relaying and password cracking, could also be carried out against RDP Restricted-Admin.
When combined with the LDAP relay vulnerability, an attacker could create a fake domain admin account whenever an admin connects with RDP Restricted-Admin and get control of the entire domain.
The researchers discovered and privately reported LDAP and RDP Relay vulnerabilities in NTLM to Microsoft in April.
However, Microsoft acknowledged the NTLM LDAP vulnerability in May, assigning it CVE-2017-8563, but dismissed the RDP bug, claiming it is a “known issue” and recommending configuring a network to be safe from any NTLM relay.
“In a remote attack scenario, an attacker could exploit this vulnerability by running a specially crafted application to send malicious traffic to a domain controller. An attacker who successfully exploited this vulnerability could run processes in an elevated context,” Microsoft explained in its advisory.
“The update addresses this vulnerability by incorporating enhancements to authentication protocols designed to mitigate authentication attacks. It revolves around the concept of channel binding information.”
So, sysadmins are recommended to patch their vulnerable servers with NT LAN Manager enabled as soon as possible.
You can either consider turning NT LAN Manager off or require that incoming LDAP and SMB packets are digitally signed in order to prevent credential relay attacks.
Besides this NTLM relay flaw, Microsoft has released patches for 55 security vulnerabilities, which includes 19 critical, in several of its products, including Edge, Internet Explorer, Windows, Office and Office Services and Web Apps, .NET Framework, and Exchange Server.
Windows users are strongly advised to install the latest updates as soon as possible in order to protect themselves against the active attacks in the wild.