Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Security Management //

Authentication

6/13/2019
04:38 PM
Larry Loeb
Larry Loeb
Larry Loeb
50%
50%

Preempt Shows How to Sidestep EPA Authentication

Security firm Preempt issued an advisory that showed how to conceptually bypass the Enhanced Protection for Authentication that prevents attackers from performing a relay of NT Lan Manager messages to top-level security sessions.

Security firm Preempt issued an advisory that showed how to conceptually bypass the Enhanced Protection for Authentication (EPA) that prevents attackers from performing a relay of NT Lan Manager (NTLM) messages to top-level security (TLS) sessions. Attackers could use NTLM to enable their own fake sessions. Since a relay attack is the most common one used against the proprietary NTLM, EPA was put there to stop them.

Preempt says that their "bypass allows attackers to modify NTLM messages to generate legitimate channel binding information. This can allow attackers to connect to various web servers using the attacked user's privileges and perform operations such as: read the user's emails (by relaying to Outlook Web Access (OWA) servers) or even connect to cloud resources (by relaying to Active Directory Federation Services (ADFS) servers)."

Also, the Message Integrity Code (MIC) is not tampered with. Instead, it is just cut out. The advisory says, "bypass allows attackers to remove the 'MIC' protection and modify various fields in the NTLM authentication flow, such as signing negotiation."

But wait, one more.

Server Message Block (SMB) Session Signing was to prevent attackers from relaying NTLM authentication messages to establish SMB and other sessions. It's the same relay attack, but the defense tool was adapted for this specific situation.

The researchers went on, "The bypass we discovered enables attackers to relay NTLM authentication requests to any server in the domain, including domain controllers, while establishing a signed session to perform remote code execution. If the relayed authentication is of a privileged user, this means full domain compromise."

Boy Howdy, that's a #fail.

They patched the bypass in the June Patch Tuesday. But just the patching alone is not sufficient to deal with this and other problems.

Preempt says that configuration changes should be done to the network. Because it's NTLM, you know?

Some really relevant network options are:

 

  • Enforce SMB Signing -- To prevent attackers from launching simpler NTLM relay attacks, turn "SMB Signing" on throughout the network.

 

 

  • Block NTLMv1 -- Since NTLMv1 is considered significantly less secure, it is recommended to completely block it by setting the appropriate GPO. Why make it worse than it has to be?

 

 

  • Enforce LDAP/S Signing -- To prevent NTLM relay in Lightweight Directory Access Protocol (LDAP), enforce LDAP signing and LDAPS channel binding on domain controllers.

 

 

  • Enforce EPA -- To prevent NTLM relay on web servers, harden all web servers (OWA, ADFS) to accept only requests with EPA. Reduce NTLM usage - Even with a fully secure configuration and fully patched servers NTLM still poses a significantly greater risk to most analysts than Kerberos. Preempt recommends that you remove NTLM anywhere it is not needed.

 

— Larry Loeb has written for many of the last century's major "dead tree" computer magazines, having been, among other things, a consulting editor for BYTE magazine and senior editor for the launch of WebWeek.

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
COVID-19: Latest Security News & Commentary
Dark Reading Staff 7/2/2020
Ripple20 Threatens Increasingly Connected Medical Devices
Kelly Sheridan, Staff Editor, Dark Reading,  6/30/2020
DDoS Attacks Jump 542% from Q4 2019 to Q1 2020
Dark Reading Staff 6/30/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
How Cybersecurity Incident Response Programs Work (and Why Some Don't)
This Tech Digest takes a look at the vital role cybersecurity incident response (IR) plays in managing cyber-risk within organizations. Download the Tech Digest today to find out how well-planned IR programs can detect intrusions, contain breaches, and help an organization restore normal operations.
Flash Poll
The Threat from the Internetand What Your Organization Can Do About It
The Threat from the Internetand What Your Organization Can Do About It
This report describes some of the latest attacks and threats emanating from the Internet, as well as advice and tips on how your organization can mitigate those threats before they affect your business. Download it today!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-9498
PUBLISHED: 2020-07-02
Apache Guacamole 1.1.0 and older may mishandle pointers involved inprocessing data received via RDP static virtual channels. If a userconnects to a malicious or compromised RDP server, a series ofspecially-crafted PDUs could result in memory corruption, possiblyallowing arbitrary code to be executed...
CVE-2020-3282
PUBLISHED: 2020-07-02
A vulnerability in the web-based management interface of Cisco Unified Communications Manager, Cisco Unified Communications Manager Session Management Edition, Cisco Unified Communications Manager IM & Presence Service, and Cisco Unity Connection could allow an unauthenticated, remote attack...
CVE-2020-5909
PUBLISHED: 2020-07-02
In versions 3.0.0-3.5.0, 2.0.0-2.9.0, and 1.0.1, when users run the command displayed in NGINX Controller user interface (UI) to fetch the agent installer, the server TLS certificate is not verified.
CVE-2020-5910
PUBLISHED: 2020-07-02
In versions 3.0.0-3.5.0, 2.0.0-2.9.0, and 1.0.1, the Neural Autonomic Transport System (NATS) messaging services in use by the NGINX Controller do not require any form of authentication, so any successful connection would be authorized.
CVE-2020-5911
PUBLISHED: 2020-07-02
In versions 3.0.0-3.5.0, 2.0.0-2.9.0, and 1.0.1, the NGINX Controller installer starts the download of Kubernetes packages from an HTTP URL On Debian/Ubuntu system.