UPDATE
Two Microsoft vulnerabilities, CVE-2019-1040 and CVE-2019-1019, would allow attackers to remotely execute malicious code on any Windows machine or authenticate to any web server that supports Windows Integrated Authentication (WIA) such as Exchange or ADFS.
According to researchers at Preempt, who discovered the flaws, the two CVEs consist of three logical flaws in NTLM, the company’s proprietary authentication protocol. A successful exploit would allow an attacker to read all users’ emails; authenticate to any cloud resource that is controlled by ADFS; remotely execute code on any machine the victim has privileges on; and modify various network configuration to create backdoors.
“NTLM is susceptible to relay attacks, which allows actors to capture an authentication and relay it to another server, granting them the ability to perform operations on the remote server using the authenticated user’s privileges,” they explained in a write-up released Tuesday and shared with Threatpost ahead of publication. “NTLM Relay is one of the most common attack techniques used in Active Directory environments, where the attacker compromises one machine, then moves laterally to other machines by using NTLM authentication directed at the compromised server.”
While Microsoft has previously developed several mitigations for preventing NTLM relay attacks, Preempt researchers discovered bugs in those mitigations that can be exploited by attackers.
All Windows versions are vulnerable, and the attack surface is vast.
“It’s probably all networks that have an Active Directory, and this is the vast majority of networks in the world,” Preempt researcher Yaron Ziner told Threatpost. “We don’t have official statistics, but this is definitely more than 90 percent of networks. The most notable fact in our opinion is the fact that we managed to breach all NTLM mitigations and any NTLM usage can result in network compromise.”
Even though NTLM relay is an old attack technique, enterprises cannot completely eliminate the use of the protocol as it will break many applications, Preempt researchers said. However, Microsoft has issued patches for the two bugs as part of its June Patch Tuesday Update. Full protection, however, will also require configuration changes.
“The patch Microsoft will issue will not be enough to stop the described attacks,” Ziner said. “Secure configuration is needed to be fully protected, and usage of old protocol versions is still exploitable. You need to monitor traffic carefully and analyze network configuration to be 100 percent protected.
CVE-2019-1040 has a base CVSS v3.0 score of 5.3, making it a medium-severity bug; the other, CVE-2019-1019, has a base score of 8.5, ranking it as high-severity. Microsoft ranks both as “important.” Researchers at Preempt said they considered the bugs to be critical, however.
The Flaws
Three logical flaws are at the heart of the vulnerabilities.
The first has to do with the Message Integrity Code (MIC) field, which ensures that attackers do not tamper NTLM messages. According Preempt’s write-up on the flaw, the bypass allows attackers to remove the ‘MIC’ protection and modify various fields in the NTLM authentication flow, such as signing negotiation.
The second weakness is in the SMB Session Signing, which prevents attackers from relaying NTLM authentication messages to establish SMB and DCE/RPC sessions. This bypass, according to the analysis, enables attackers to relay NTLM authentication requests to any server in the domain, including domain controllers, while establishing a signed session to perform remote code execution. If the relayed authentication is of a privileged user, this means full domain compromise.
And finally, Enhanced Protection for Authentication (EPA) prevents attackers from relaying NTLM messages to TLS sessions has a flaw. The bypass here, as described, allows attackers to modify NTLM messages to generate legitimate channel binding information. This allows attackers to connect to various web servers using the attacked user’s privileges and perform operations such as reading the user’s emails (by relaying to OWA servers) or even connecting to cloud resources (by relaying to ADFS servers).
In terms of how an attacker would use an exploit for the bugs in real life, Ziner told Threatpost that “a user that connects to a compromised server (in many cases, this can be triggered by an attacker, e.g, by a phishing email), credentials will be stolen with a 100 percent probability by an attacker.”
For a successful exploit, “an attacker would mainly need some way to intercept NTLM sessions (there are several known techniques to accomplish this),” he added. “Exploitation is difficult in the sense that only a technology expert could code an exploit. However, once open-source exploits would be available, it would be very easy to exploit.”
After patching, the network administrators should make the recommended configuration changes, researchers said: These include turning on SMB Signing on all machines in the network; completely blocking the outdated version of the protocol, NTLMv1; enforcing LDAP signing and LDAPS channel binding on domain controllers; hardening all web servers (OWA, ADFS) to accept only requests with EPA; and removing NTLM where it is not needed.
This story was updated at 3:27 p.m. on June 11 to reflect revised severity ratings, after Microsoft issued its patches. And, updated at 9 a.m. on June 12 to include a comment from Preempt on why the firm considers the bugs to be “critical.”
Ransomware is on the rise: Don’t miss our free Threatpost webinar on the ransomware threat landscape, June 19 at 2 p.m. ET. Join Threatpost and a panel of experts as they discuss how to manage the risk associated with this unique attack type, with exclusive insights into new developments on the ransomware front and how to stay ahead of the attackers.
