Researchers from the Preempt firewall behavior specialist discovered two zero-day vulnerabilities in Windows NTLM security protocols, which allow attackers to create a new domain administrator account and gain full domain control.
As part of this month’s Patch Tuesday, Microsoft released a security patch for a serious escalation of vulnerability privileges that affects all versions of its Windows operating system for companies released since 2007.
NT LAN Manager (NTLM) is an older authentication protocol used on networks that include systems running the Windows NTLM Security Protocols and stand-alone systems.
Although NTLM was replaced by Kerberos in Windows 2000 adds more security to systems over a network, NTLM is still compatible with Microsoft and is still widely used.
The first vulnerability implies the Lightweight Directory Access Protocol (LDAP) protocol is not protected by NTLM relay and the second impact of RDP (Remote-Admin) mode of the remote protocol.
LDAP does not adequately protect NTLM relay attacks, even when it has been incorporated into the LDAP signing defensive measure, which only protects against the middle man attacks (MITM) and not for all credential attacks.
The vulnerability could allow an attacker to prioritize the system to a target system to use NTLM session logging and perform LDAP operations such as updating the domain object, named NTLM.
“To understand the seriousness of this problem, we must realize that all Windows protocols using Windows Authentication API (SSPI) that allows a downgrade of an authentication session in NTLM,” said Yaron Zinar Preference in a Post blog, which details the vulnerabilities.
“As a result, each connected to an infected machine (SMB, WMI, SQL, HTTP) with a domain administrator means that the attacker creates a domain administrator account and gain full control of the attacked network.”
Preference Security Investigators have discovered and reported two zero-day vulnerabilities within Windows NTLM Security Protocols.
These vulnerabilities have a common theme around two different protocols that treat NTLM inappropriately.
These vulnerabilities are particularly important because they allow an attacker to create a new domain administrator user account, even when better practice controls such as LDAP server signing and limited RDP mode are enabled.
According to advance:
“NTLM is a set of Microsoft security protocols that provide authentication, integrity, and confidentiality of users.” The NTLM relay is probably the most well-known secret and widely known in the world piracy.
If you have ever requested a signature to try to perform a Security audit, could probably compromise your network with some kind of NTLM attack. ”
The first vulnerability that Microsoft corrected (CVE-2.017-8563) affects Lightweight Directory Access Protocol (LDAP) or Windows NTLM Security Protocols is not protected by NTLM relay.
The vulnerability could allow an attacker to prioritize the system on a target system to manage incoming NTLM sessions and to execute LDAP operations such as updating the domain object, named NTLM.
“The vulnerability is that while introducing the LDAP signature protects both man-in-the-middle (MitM) and credential transfer, LDAPS protects MitM (under certain circumstances), but does not protect against the transmission of credential media This allows an attacker privileges system on a machine using any incoming NTLM session and perform operations on its LDAP NTLM name.
To understand the severity of this problem, one must realize that all Windows protocols use API Authentication (SSPI) that reduces the NTLM authentication session. ”
The second vulnerability affects the RDP-restricted NTLM management mode, this mode allows users to connect to a remote computer without giving their password.
“In a remote attack scenario, an attacker could exploit this vulnerability by running a specially crafted malicious program to send malicious traffic to a domain controller.
An attacker who exploited this vulnerability could run processes in a large environment,” he explained. Microsoft on your board “.
“The update addresses this vulnerability by incorporating enhancements to authentication protocols designed to mitigate authentication attacks. It revolves around the concept of information about channel information.”
For all Windows users must install the updates and the latest patches as soon as possible to stay safe For Windows NTLM Security Protocols.