Vulnerabilities / Threats

7/11/2017
05:30 PM
Connect Directly
Twitter
LinkedIn
Google+
RSS
E-Mail
100%
0%

Microsoft Patches Critical Zero-Day Flaw in Windows Security Protocol

Researchers at Preempt uncovered two critical vulnerabilities in the Windows NTLM security protocols, one of which Microsoft patched today.

Microsoft today issued a patch for a newly revealed critical vulnerability affecting its Windows NT LAN Manager (NTLM) security protocols.

Researchers at Preempt uncovered two zero-day vulnerabilities within the Windows NTLM, both of which handle the protocol improperly and could allow attackers to create domain administrator accounts. One flaw was fixed as part of Patch Tuesday; the other was not.

NTLM is a suite of protocols enabling authentication, and could put users at risk of unauthorized credential use and password cracking if the flaws are exploited.

The first NTLM flaw, which Microsoft patched in CVE-2017-8563, is "probably the best kept widely known secret of the hacking world," according to Preempt. It allows an NTLM relay attack, where an attacker can create a parallel session with a target server, leverage a user's encrypted password hash to authenticate via NTLM, and infect a target system with malware.

Windows' Lightweight Directory Access Protocol (LDAP) is not protected from NTLM relay attacks, even with its built-in LDAP signing defensive measure, which protects against man-in-the-middle (MitM) attacks but not credential forwarding. So an attacker with system privileges could relay credentials to the domain controller, where they can create a domain account and take over the entire network.

Microsoft's patch fixes this vulnerability "by incorporating enhancements to authentication protocols designed to mitigate authentication attacks," the company explains. To make LDAP authentication over SSL/TLS more secure, it also advises administrators to create a LdapEnforceChannelBinding registry on a domain controller.

There are many ways hackers can access privileged credentials, from phishing to physical device access. Every connection to an infected machine (SMB, WMI, SQL, HTTP) with a domain admin could result in a full network attack. All versions of Windows Server are vulnerable.

"Once an administrator connects to your machine, he can use those credentials and create a new domain administrator," explains Preempt senior researcher Yaron Ziner. "Once you have that one machine, you pretty much own the entire network."

Preempt's analysis revealed 50- to 60% of all networks have a high-privilege agent connecting to all machines. A device does not necessarily need to have domain administrator credentials to be used by an attacker to conduct a full network takeover. Anyone with enough privilege to create an account could enable this level of attack.

Shades of WannaCry, Petya

Ziner says the privileged escalation vulnerability is a serious threat and has similarities to the WannaCry and Petya threats, which wreaked havoc across the globe over the past couple of months. Once one device was infected with either attack, it spread rapidly in the network.

The second NTLM flaw Preempt discovered is considered a design flaw and affects Remote Desktop Protocol (RDP) Restricted-Admin mode. RDP Restricted-Admin mode lets users connect to a remote machine without giving their password to the remote machine. It could also let attackers connect to remote machines using techniques like pass-the-hash, according to Preempt.

Preempt researchers discovered that RDP Restricted-Admin lets authentication systems downgrade to NTLM. This meant attacks possible with NTLM, such as credential relaying and password-cracking, can be used against RDP Restricted-Admin - risking the credentials of anyone using elevated privileges to access remote machines.

In this sense, the first NTLM vulnerability makes the second vulnerability more dangerous, says Zilner. When combined with the LDAP relay problem, the RDP flaw means each time an admin connects with Restricted-Admin, an attacker can make a fake domain admin account.

"If you don't patch the first one, you definitely shouldn't use restricted admin," he notes. "It's not safe at all."

Ziner says Microsoft told Preempt that this was a known issue when the security firm shared both vulnerabilities with the software giant in April 2017. "They did acknowledge the issue and said it's by design," he notes, and they will not be providing a patch for it.

That said, he continues, simply applying patches is not enough to protect against either threat. If companies want to be completely safe, they should stop using NTLM or use it in a very restricted manner. They should also keep tabs on privileged accounts; namely, when they were created, who created them, and whether they should actually be privileged.

Regarding today's full Microsoft Patch Tuesday release, Qualys director of product management Jimmy Graham advises businesses prioritize CVE-2017-8589, a flaw in the Windows Search service that could be exploited remotely via SMB to assume control of a system, and Windows Explorer vulnerability CVE-2017-8463.

Related Content:

Kelly Sheridan is the Staff Editor at Dark Reading, where she focuses on cybersecurity news and analysis. She is a business technology journalist who previously reported for InformationWeek, where she covered Microsoft, and Insurance & Technology, where she covered financial ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
mikelemire
50%
50%
mikelemire,
User Rank: Author
7/12/2017 | 3:28:53 PM
Re: Correction
Its no longer a zero day flaw when a patch is released
LordC623
50%
50%
LordC623,
User Rank: Strategist
7/11/2017 | 8:05:13 PM
Correction
Misspelled in the title - "NTML"
New Free Tool Scans for Chrome Extension Safety
Dark Reading Staff 2/21/2019
Making the Case for a Cybersecurity Moon Shot
Adam Shostack, Consultant, Entrepreneur, Technologist, Game Designer,  2/19/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
5 Emerging Cyber Threats to Watch for in 2019
Online attackers are constantly developing new, innovative ways to break into the enterprise. This Dark Reading Tech Digest gives an in-depth look at five emerging attack trends and exploits your security team should look out for, along with helpful recommendations on how you can prevent your organization from falling victim.
Flash Poll
How Enterprises Are Attacking the Cybersecurity Problem
How Enterprises Are Attacking the Cybersecurity Problem
Data breach fears and the need to comply with regulations such as GDPR are two major drivers increased spending on security products and technologies. But other factors are contributing to the trend as well. Find out more about how enterprises are attacking the cybersecurity problem by reading our report today.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-9015
PUBLISHED: 2019-02-22
A Path Traversal vulnerability was discovered in MOPCMS through 2018-11-30, leading to deletion of unexpected critical files. The exploitation point is in the "column management" function. The path added to the column is not verified. When a column is deleted by an attacker, the correspond...
CVE-2019-9016
PUBLISHED: 2019-02-22
An XSS vulnerability was discovered in MOPCMS through 2018-11-30. There is persistent XSS that allows remote attackers to inject arbitrary web script or HTML via the form[name] parameter in a mod=column request, as demonstrated by the /mopcms/X0AZgf(index).php?mod=column&ac=list&menuid=28&am...
CVE-2018-20784
PUBLISHED: 2019-02-22
In the Linux kernel before 4.20.2, kernel/sched/fair.c mishandles leaf cfs_rq's, which allows attackers to cause a denial of service (infinite loop in update_blocked_averages) or possibly have unspecified other impact by inducing a high load.
CVE-2019-9003
PUBLISHED: 2019-02-22
In the Linux kernel before 4.20.5, attackers can trigger a drivers/char/ipmi/ipmi_msghandler.c use-after-free and OOPS by arranging for certain simultaneous execution of the code, as demonstrated by a "service ipmievd restart" loop.
CVE-2019-9004
PUBLISHED: 2019-02-22
In Eclipse Wakaama (formerly liblwm2m) 1.0, core/er-coap-13/er-coap-13.c in lwm2mserver in the LWM2M server mishandles invalid options, leading to a memory leak. Processing of a single crafted packet leads to leaking (wasting) 24 bytes of memory. This can lead to termination of the LWM2M server afte...