A massive new vulnerability has been found in Microsoft’s NTLM authentication protocol which could result in remote code execution on any Windows machine or authenticate to any web server that supports Windows Integrated Authentication (WIA) such as Exchange or ADFS.
The two critical Microsoft vulnerabilities that consist of three logical flaws were discovered by the Preempt research team. They report all Windows versions are vulnerable, and that the flaw bypasses previous mitigations Microsoft put in place.
NTLM Relay is one of the most common attack techniques used in Active Directory environments, and while Microsoft has previously developed several mitigations for preventing NTLM relay attacks, the Preempt researchers discovered those mitigations have the following exploitable flaws:
The Message Integrity Code (MIC) field ensures that attackers do not tamper NTLM messages. The bypass discovered by Preempt researchers allows attackers to remove the ‘MIC’ protection and modify various fields in the NTLM authentication flow, such as signing negotiation.
SMB Session Signing prevents attackers from relaying NTLM authentication messages to establish SMB and DCE/RPC sessions.The bypass enables attackers to relay NTLM authentication requests to any server in the domain, including domain controllers, while establishing a signed session to perform remote code execution. If the relayed authentication is of a privileged user, this means full domain compromise.
Enhanced Protection for Authentication (EPA) prevents attackers from relaying NTLM messages to TLS sessions. The bypass allows attackers to modify NTLM messages to generate legitimate channel binding information. This allows attackers to connect to various web servers using the attacked user’s privileges and perform operations such as: read the user’s emails (by relaying to OWA servers) or even connect to cloud resources (by relaying to ADFS servers).
Preempt has responsibly disclosed the vulnerability to Microsoft, who released issued CVE-2019-1040 and CVE-2019-1019 on Patch Tuesday to address the issue. Preempt however warns that this is not enough and that admins also need to affect some configuration changes to ensure protection.
To protect your network:
1. Patch – Make sure that workstations and servers are properly patched.
- Enforce SMB Signing – To prevent attackers from launching simpler NTLM relay attacks, turn on SMB Signing on all machines in the network.
- Block NTLMv1 – Since NTLMv1 is considered significantly less secure; it is recommended to completely block it by setting the appropriate GPO.
- Enforce LDAP/S Signing – To prevent NTLM relay in LDAP, enforce LDAP signing and LDAPS channel binding on domain controllers.
- Enforce EPA – To prevent NTLM relay on web servers, harden all web servers (OWA, ADFS) to accept only requests with EPA.
3. Reduce NTLM usage – Even with fully secured configuration and patched servers, NTLM poses a significantly greater risk than Kerberos. It is recommended that you remove NTLM where it is not needed.