As part of the July Patch Tuesday, Microsoft has released security patches for a serious privilege escalation flaw affecting all Windows operating system versions for enterprises released since 2007.
Researchers at behavioral firewall specialist security firm Preempt discovered two zero-day vulnerabilities in Windows NTLM security protocols, both of which allow attackers to create a new domain administrator account and take over the target domain.
The NT LAN Manager (NTLM) is an ancient authentication protocol, despite it was replaced by Kerberos in Windows 2000, it is still supported by Microsoft and it is used by many organizations.
Although NTLM was replaced by Kerberos in Windows 2000 that adds greater security to systems on a network, NTLM is still supported by Microsoft and continues to be used widely.
Vulnerability 1: LDAP Relay (CVE-2017-8563)
It involves unprotected Lightweight Directory Access Protocol (LDAP) from NTLM relay, and the second impact Remote Desktop Protocol (RDP) Restricted-Admin mode.
LDAP protocol is used in Active Directory to query and update all domain objects (users, groups, endpoints, etc).
Even if LDAP signing protects from both Man-in-the-Middle (MitM) and credential forwarding, the protocol is not able to fully protect against NTLM relay attacks,
The vulnerability could be exploited by an attacker with SYSTEM privileges to use incoming NT LAN Manager sessions and perform the LDAP operations, including the updating of domain objects.
“This allows an attacker with SYSTEM privileges on a machine to use any incoming NTLM session and perform the LDAP operations on behalf of the NTLM user.” reads a blog post published by Preempt.
“As a result, every connection to an infected machine (SMB, WMI, SQL, HTTP) with a domain admin would result in the attacker creating a domain admin account and getting full control over the attacked network.”
Here is the POC video provided :
Vulnerability 2: RDP Relay
The second issue we reported is with RDP Restricted-Admin. RDP Restricted-Admin allows users to connect to a remote machine without volunteering their password to the remote machine that might be compromised.
According to Preempt researchers, RDP Restricted-Admin allows authentication systems to downgrade to NTLM. This means the attacks performed with NTLM, such as credential relaying and password cracking, could also be carried out against RDP Restricted-Admin.
“Preempt discovered that RDP Restricted-Admin, which is sometimes referred to (mistakenly) as KerberosedRDP, allows downgrade to NT LAN Manager in the authentication negotiation. This means that every attack you can perform with NTLM such as credential relaying and password cracking could be carried out against RDP Restricted-Admin.” continues the analysis.
Chaining the two zero-days, an attacker could create a bogus domain admin account whenever an admin connects with RDP Restricted-Admin and get control of the entire domain.
Microsoft recommends companies running vulnerable servers with NT LAN Manager enabled to patch them as soon as possible.
Other mitigation actions are:
- Enable “Require LDAP Signing” in your GPO setting. It is not set to “on” by default and much like “SMB Signing”, if configuration is not set properly you are not protected.
- Follow guide to make LDAP authentication over SSL/TLS more secure according to this guide
- Monitor NTLM traffic in your network and make sure to review any anomalous usage your encounter.
Microsoft has released patches for 55 security vulnerabilities, including 19 critical issues, in its products, including Edge, Internet Explorer, Windows, Office and Office Services and Web Apps, .NET Framework, and Exchange Server.
Windows users are strongly advised to install the latest updates as soon as possible in order to protect themselves against the active attacks in the wild.