Vulnerabilities / Threats
7/11/2017
05:30 PM
Connect Directly
Twitter
LinkedIn
Google+
RSS
E-Mail
100%
0%

Microsoft Patches Critical Zero-Day Flaw in Windows Security Protocol

Researchers at Preempt uncovered two critical vulnerabilities in the Windows NTLM security protocols, one of which Microsoft patched today.

Microsoft today issued a patch for a newly revealed critical vulnerability affecting its Windows NT LAN Manager (NTLM) security protocols.

Researchers at Preempt uncovered two zero-day vulnerabilities within the Windows NTLM, both of which handle the protocol improperly and could allow attackers to create domain administrator accounts. One flaw was fixed as part of Patch Tuesday; the other was not.

NTLM is a suite of protocols enabling authentication, and could put users at risk of unauthorized credential use and password cracking if the flaws are exploited.

The first NTLM flaw, which Microsoft patched in CVE-2017-8563, is "probably the best kept widely known secret of the hacking world," according to Preempt. It allows an NTLM relay attack, where an attacker can create a parallel session with a target server, leverage a user's encrypted password hash to authenticate via NTLM, and infect a target system with malware.

Windows' Lightweight Directory Access Protocol (LDAP) is not protected from NTLM relay attacks, even with its built-in LDAP signing defensive measure, which protects against man-in-the-middle (MitM) attacks but not credential forwarding. So an attacker with system privileges could relay credentials to the domain controller, where they can create a domain account and take over the entire network.

Microsoft's patch fixes this vulnerability "by incorporating enhancements to authentication protocols designed to mitigate authentication attacks," the company explains. To make LDAP authentication over SSL/TLS more secure, it also advises administrators to create a LdapEnforceChannelBinding registry on a domain controller.

There are many ways hackers can access privileged credentials, from phishing to physical device access. Every connection to an infected machine (SMB, WMI, SQL, HTTP) with a domain admin could result in a full network attack. All versions of Windows Server are vulnerable.

"Once an administrator connects to your machine, he can use those credentials and create a new domain administrator," explains Preempt senior researcher Yaron Ziner. "Once you have that one machine, you pretty much own the entire network."

Preempt's analysis revealed 50- to 60% of all networks have a high-privilege agent connecting to all machines. A device does not necessarily need to have domain administrator credentials to be used by an attacker to conduct a full network takeover. Anyone with enough privilege to create an account could enable this level of attack.

Shades of WannaCry, Petya

Ziner says the privileged escalation vulnerability is a serious threat and has similarities to the WannaCry and Petya threats, which wreaked havoc across the globe over the past couple of months. Once one device was infected with either attack, it spread rapidly in the network.

The second NTLM flaw Preempt discovered is considered a design flaw and affects Remote Desktop Protocol (RDP) Restricted-Admin mode. RDP Restricted-Admin mode lets users connect to a remote machine without giving their password to the remote machine. It could also let attackers connect to remote machines using techniques like pass-the-hash, according to Preempt.

Preempt researchers discovered that RDP Restricted-Admin lets authentication systems downgrade to NTLM. This meant attacks possible with NTLM, such as credential relaying and password-cracking, can be used against RDP Restricted-Admin - risking the credentials of anyone using elevated privileges to access remote machines.

In this sense, the first NTLM vulnerability makes the second vulnerability more dangerous, says Zilner. When combined with the LDAP relay problem, the RDP flaw means each time an admin connects with Restricted-Admin, an attacker can make a fake domain admin account.

"If you don't patch the first one, you definitely shouldn't use restricted admin," he notes. "It's not safe at all."

Ziner says Microsoft told Preempt that this was a known issue when the security firm shared both vulnerabilities with the software giant in April 2017. "They did acknowledge the issue and said it's by design," he notes, and they will not be providing a patch for it.

That said, he continues, simply applying patches is not enough to protect against either threat. If companies want to be completely safe, they should stop using NTLM or use it in a very restricted manner. They should also keep tabs on privileged accounts; namely, when they were created, who created them, and whether they should actually be privileged.

Regarding today's full Microsoft Patch Tuesday release, Qualys director of product management Jimmy Graham advises businesses prioritize CVE-2017-8589, a flaw in the Windows Search service that could be exploited remotely via SMB to assume control of a system, and Windows Explorer vulnerability CVE-2017-8463.

Related Content:

Kelly Sheridan is Associate Editor at Dark Reading. She started her career in business tech journalism at Insurance & Technology and most recently reported for InformationWeek, where she covered Microsoft and business IT. Sheridan earned her BA at Villanova University. View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
mikelemire
50%
50%
mikelemire,
User Rank: Author
7/12/2017 | 3:28:53 PM
Re: Correction
Its no longer a zero day flaw when a patch is released
LordC623
50%
50%
LordC623,
User Rank: Strategist
7/11/2017 | 8:05:13 PM
Correction
Misspelled in the title - "NTML"
Ransomware Grabs Headlines but BEC May Be a Bigger Threat
Marc Wilczek, Digital Strategist & CIO Advisor,  10/12/2017
20 Questions to Ask Yourself before Giving a Security Conference Talk
Joshua Goldfarb, Co-founder & Chief Product Officer, IDDRA,  10/16/2017
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: Be a unicorn, not a donkey...
Current Issue
Security Vulnerabilities: The Next Wave
Just when you thought it was safe, researchers have unveiled a new round of IT security flaws. Is your enterprise ready?
Flash Poll
The State of Ransomware
The State of Ransomware
Ransomware has become one of the most prevalent new cybersecurity threats faced by today's enterprises. This new report from Dark Reading includes feedback from IT and IT security professionals about their organization's ransomware experiences, defense plans, and malware challenges. Find out what they had to say!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2017-0290
Published: 2017-05-09
NScript in mpengine in Microsoft Malware Protection Engine with Engine Version before 1.1.13704.0, as used in Windows Defender and other products, allows remote attackers to execute arbitrary code or cause a denial of service (type confusion and application crash) via crafted JavaScript code within ...

CVE-2016-10369
Published: 2017-05-08
unixsocket.c in lxterminal through 0.3.0 insecurely uses /tmp for a socket file, allowing a local user to cause a denial of service (preventing terminal launch), or possibly have other impact (bypassing terminal access control).

CVE-2016-8202
Published: 2017-05-08
A privilege escalation vulnerability in Brocade Fibre Channel SAN products running Brocade Fabric OS (FOS) releases earlier than v7.4.1d and v8.0.1b could allow an authenticated attacker to elevate the privileges of user accounts accessing the system via command line interface. With affected version...

CVE-2016-8209
Published: 2017-05-08
Improper checks for unusual or exceptional conditions in Brocade NetIron 05.8.00 and later releases up to and including 06.1.00, when the Management Module is continuously scanned on port 22, may allow attackers to cause a denial of service (crash and reload) of the management module.

CVE-2017-0890
Published: 2017-05-08
Nextcloud Server before 11.0.3 is vulnerable to an inadequate escaping leading to a XSS vulnerability in the search module. To be exploitable a user has to write or paste malicious content into the search dialogue.