October 10, 2019

NTLM Security Features Leading to Full Domain Compromise.

There are two security vulnerabilities within the NTLM authentication protocol in Microsoft that allow attackers to bypass MIC (Message Integrity Code).

As part of the security updates released yesterday after Preempt’s disclosure, Microsoft fixed two NTLM bugs and provided security advisories.

Preempt researchers Yaron Zinar and Marina Simakov discovered that attackers can exploit such defects as part of NTLM relay attacks that may, in some cases, “make a complete network domain compromise,” exposing customers with default settings in Active Directory.

The authentication protocol for the Windows NT (New Technology) LAN Manager (NTLM) is used to authenticate remote users for client / server authentication purposes and to secure the connection when requested via device protocols.

NTLM is replaced by Kerberos, which is the default auth protocol for all Windows versions over Windows 2000 for domain connected devices.

“While Kerberos is the most common authentication protocol in most organizations, NTLM is still allowed and thus used to exploit the vulnerabilities mentioned above by the attackers,” adds Preempt advisory.

Tampering bug affects all Windows versions of support

Preempt’s research team has been able to identify faults that could be abused by potential attackers in order to prevent Microsoft’s NTLM relay attack mitigation.

While Microsoft has added a Message Integrality Code (MIC) field that blocks attackers from manipulating NTLM messages, researchers from Preempt have found an NTLM authentication bypass that allows attackers to “modify any field in NTLM message flow, including the signing requirement.”

NTLM relay basic flow

NTLM relay basic flow

CVE-2019-1166 affects all compatible versions of Windows, with all servers that do not implement signing vulnerable to attacks that use it.

“Microsoft Windows has a manipulating flaw when a man in the middle can successfully circumvent NTLM MIC (Message Integrity Check) security,” Microsoft advises.

The second flaw concerns clients sending LMv2 responses

“An attacker who exploited this vulnerability could be able to disable NTLM safety features. The second vulnerability discovered by Preempt also escapes NTLM Relay Attack MIC security, as well as other NTLM Relay Mitigation including, but not limited to, “Enhanced Authentication Security (EPA), and target SPN validation for certain old NTLM clients that send LMv2 challenge responses.”

This affects Windows 7 SP1, Windows 2008 and Windows 2008 R2 devices and could be used to attacks allowing threat actors “to successfully authenticate their NTLM relays to sensitive servers such as OWA and ADFS and steal valuable user data.” “In Microsoft Windows, when a man-in – the-middle attacker can successfully bypass NTLMv2 protection, there is a bypass vulnerability”.

“An intruder who effectively exploited this vulnerability could be given the ability to uninstall NTLM security features.”

Add customers with default attack configurations

Potential attackers would have to tamper with the NTLM exchange in order to exploit CVE-2019-1166, while attackers trying to misuse CVE-2019-1338 as part of their attack should be able to modify NTLM traffic.

“Such attacks are vulnerable to all Active Directory customers with default settings,” added Preempt researchers.

“Organizations that do not block LM responses and have customers still sending default responses are vulnerable to targeted attacks against those customers to circumvent additional NTLM security.” For Preempt’s review more technical and context data on the two NTLM vulnerabilities are available.

Past NTLM faults and failures

This isn’t the first time that Preempt has found NTLM vulnerabilities with two critical vulnerabilities consisting of three logical vulnerabilities that allow remote code execution and encryption on machines running any version of Windows patched by Microsoft during Patch Tuesday security updates in June.

Preempt previously revealed another bug affecting all of the Windows support versions that were patched by Microsoft during July 2017 Patch Tuesday, and which permitted attackers to create admin accounts on the domain controller of a local network (DC).

The research team of Preempt provides the following guidelines to secure networks with devices that are affected by these vulnerabilities:

• Enforce NTLM mitigations. In order to be fully protected from NTLM relay attacks you will need to enable server signing and EPA on all relevant servers.
• Patch! Make sure your systems are fully protected with the latest security updates.
• Apply advanced NTLM relay detection and prevention techniques similar to the ones disclosed by Preempt in our Black Hat 2019 talk (a free encore presentation can be found here).
• Some NTLM clients use weak NTLM variations (e.g., don’t send a MIC). This puts your network at a greater risk of being vulnerable to NTLM relay. Monitor NTLM traffic in your network and try to restrict insecure NTLM traffic.
• Get rid of clients sending LM responses and set the GPO Network security: LAN Manager authentication level to refuse LM responses.
• NTLM is not recommended to use in general as it poses some security concerns:NTLM relay, brute forcing, and other vulnerabilities. You can read about general NTLM risks here. As a rule of thumb: try to reduce NTLM usage in your network as much as possible.

“Even if NTLM relay is an ancient technique, businesses cannot avoid the use of the protocol in its entirety because it will disrupt many applications,” said the Chief Technical Officer and Co-Founder Roman Blachman at Preempt in June.

“Therefore, it still poses an important threat to businesses, especially with new vulnerabilities constantly discovered.”

Leave a Reply

Your email address will not be published. Required fields are marked *