Preempt Shows How to Sidestep EPA Authentication

Security firm Preempt issued an advisory that showed how to conceptually bypass the Enhanced Protection for Authentication that prevents attackers from performing a relay of NT Lan Manager messages to top-level security sessions.

Larry Loeb, Blogger, Informationweek

June 13, 2019

2 Min Read

Security firm Preempt issued an advisory that showed how to conceptually bypass the Enhanced Protection for Authentication (EPA) that prevents attackers from performing a relay of NT Lan Manager (NTLM) messages to top-level security (TLS) sessions. Attackers could use NTLM to enable their own fake sessions. Since a relay attack is the most common one used against the proprietary NTLM, EPA was put there to stop them.

Preempt says that their "bypass allows attackers to modify NTLM messages to generate legitimate channel binding information. This can allow attackers to connect to various web servers using the attacked user's privileges and perform operations such as: read the user's emails (by relaying to Outlook Web Access (OWA) servers) or even connect to cloud resources (by relaying to Active Directory Federation Services (ADFS) servers)."

Also, the Message Integrity Code (MIC) is not tampered with. Instead, it is just cut out. The advisory says, "bypass allows attackers to remove the 'MIC' protection and modify various fields in the NTLM authentication flow, such as signing negotiation."

But wait, one more.

Server Message Block (SMB) Session Signing was to prevent attackers from relaying NTLM authentication messages to establish SMB and other sessions. It's the same relay attack, but the defense tool was adapted for this specific situation.

The researchers went on, "The bypass we discovered enables attackers to relay NTLM authentication requests to any server in the domain, including domain controllers, while establishing a signed session to perform remote code execution. If the relayed authentication is of a privileged user, this means full domain compromise."

Boy Howdy, that's a #fail.

They patched the bypass in the June Patch Tuesday. But just the patching alone is not sufficient to deal with this and other problems.

Preempt says that configuration changes should be done to the network. Because it's NTLM, you know?

Some really relevant network options are:

 

  • Enforce SMB Signing -- To prevent attackers from launching simpler NTLM relay attacks, turn "SMB Signing" on throughout the network.

 

 

  • Block NTLMv1 -- Since NTLMv1 is considered significantly less secure, it is recommended to completely block it by setting the appropriate GPO. Why make it worse than it has to be?

 

 

  • Enforce LDAP/S Signing -- To prevent NTLM relay in Lightweight Directory Access Protocol (LDAP), enforce LDAP signing and LDAPS channel binding on domain controllers.

 

 

  • Enforce EPA -- To prevent NTLM relay on web servers, harden all web servers (OWA, ADFS) to accept only requests with EPA. Reduce NTLM usage - Even with a fully secure configuration and fully patched servers NTLM still poses a significantly greater risk to most analysts than Kerberos. Preempt recommends that you remove NTLM anywhere it is not needed.

 

— Larry Loeb has written for many of the last century's major "dead tree" computer magazines, having been, among other things, a consulting editor for BYTE magazine and senior editor for the launch of WebWeek.

Read more about:

Security Now

About the Author(s)

Larry Loeb

Larry Loeb

Blogger, Informationweek

Larry Loeb has written for many of the last century's major "dead tree" computer magazines, having been, among other things, a consulting editor for BYTE magazine and senior editor for the launch of WebWeek. He has written a book on the Secure Electronic Transaction Internet protocol. His latest book has the commercially obligatory title of Hack Proofing XML. He's been online since uucp "bang" addressing (where the world existed relative to !decvax), serving as editor of the Macintosh Exchange on BIX and the VARBusiness Exchange. His first Mac had 128 KB of memory, which was a big step up from his first 1130, which had 4 KB, as did his first 1401. You can e-mail him at [email protected].

See more from Larry Loeb
Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.
Subscribe

You May Also Like

More Insights
Webinars
More Webinars
Events
More Events

Editor's Choice

Closeup of mix many different multicolored Dutch tulips in a garden border near Amsterdam, Holland / Netherlands
Vulnerabilities & Threats
Microsoft Windows DWM Zero-Day Poised for Mass ExploitMicrosoft Windows DWM Zero-Day Poised for Mass Exploit
byTara Seals, Managing Editor, News, Dark Reading
May 14, 2024
6 Min Read
Five spiders with computerized eyes.
Threat Intelligence
As the FBI Closes In, Scattered Spider Attacks Finance, Insurance OrgsAs the FBI Closes In, Scattered Spider Attacks Finance, Insurance Orgs
byNate Nelson, Contributing Writer
May 14, 2024
4 Min Read
thumbnail
Vulnerabilities & Threats
Heartbleed: When Is It Good to Name a Vulnerability?Heartbleed: When Is It Good to Name a Vulnerability?
byAndrada Fiscutean
May 13, 2024
6 Min Read
Reports
More Reports
White Papers
More Whitepapers
Events
More Events