Security Advisory: Critical Vulnerabilities in NTLM Allow Remote Code Execution and Cloud Resources Compromise

On June 2019 Patch Tuesday, Microsoft released patches for CVE-2019-1040 and CVE-2019-1019, two vulnerabilities discovered by Preempt researchers. The critical vulnerabilities consist of three logical flaws in NTLM (Microsoft’s proprietary authentication protocol). Preempt researchers were able to bypass all major NTLM protection mechanisms.

These vulnerabilities allow attackers to remotely execute malicious code on any Windows machine or authenticate to any HTTP server that supports Windows Integrated Authentication (WIA) such as Exchange or ADFS. All Windows versions are vulnerable.

Attack Details

NTLM authentication protocol is susceptible to relay attacks. NTLM relay is a common attack technique where an attacker that compromises one machine can move laterally to other machines by using NTLM authentication directed at the compromised server.  

NTLM relay basic flow

Over the years, Microsoft has developed several mitigations for thwarting such NTLM relay attacks, Preempt research were able to bypass all the significant defense mechanisms:

  • Message Integrity Code (MIC) – The ‘MIC’ field ensures that NTLM messages are not tampered by attackers. However, our bypass allows attackers to remove the ‘MIC’ protection and modify various fields in the NTLM authentication flow, such as signing negotiation. Full details are available in this blog.
  • SMB Session Signing – Prevents attackers from relaying NTLM authentication messages to establish SMB and DCE/RPC sessions. The bypass we discovered enables attackers to relay NTLM authentication requests to any server in the domain, including domain controllers, while establishing a signed session to perform remote code execution. If the relayed authentication is of a privileged user, this means full domain compromise. Full details are available in this blog.
  • Enhanced Protection for Authentication (EPA) – Prevents attackers from relaying NTLM messages to TLS sessions. Our bypass allows attackers to modify NTLM messages to generate legitimate channel binding information. This can allow attackers to connect to various web servers using the attacked user’s privileges and perform operations such as: read the user’s emails (by relaying to OWA servers) or even connect to cloud resources (by relaying to ADFS servers). Full details are available in this blog.

How Can I protect myself from these vulnerabilities?

Here are the main steps you need to take to make sure you are protected from these threats:

  1. Patch – Make sure that your workstations and servers are properly patched. This is a basic requirement. However, it is important to note that patching alone is not enough as you will also need to make configuration changes in order to be fully protected.
  2. Configuration:
    1. Enforce SMB Signing – To prevent attackers from launching simpler NTLM relay attacks, turn on SMB Signing on all machines in the network.
    2. Block NTLMv1 – Since NTLMv1 is considered significantly less secure, it is recommended to completely block it by setting the appropriate GPO.
    3. Enforce LDAP/S Signing – To prevent NTLM relay in LDAP, enforce LDAP signing and LDAPS channel binding on domain controllers.
    4. Enforce EPA – To prevent NTLM relay on web servers, harden all web servers (OWA, ADFS) to accept only requests with EPA.
  3. Reduce NTLM usage – Even with a fully secure configuration and fully patched servers NTLM still poses a significantly greater risk than Kerberos. It is recommended that you remove NTLM anywhere it is not needed.

Microsoft has released the following fixes:
CVE-2019-1040 | Windows NTLM Tampering Vulnerability

CVE-2019-1019 | Microsoft Windows Security Feature Bypass Vulnerability

How Preempt Can Help

Preempt constantly works to protect its customers. Customers who have deployed Preempt have been consistently protected from NTLM relay attacks. The Preempt Platform provides full network NTLM visibility, allowing you to reduce NTLM traffic and analyze suspicious NTLM activity. In addition, Preempt has innovative industry-first deterministic NTLM relay detection capabilities and has the ability to inspect all GPO configurations and will alert on insecure configurations.

For non-Preempt customers, this configuration inspection is also available in Preempt Lite, a free lightweight version of the Preempt Platform.
>> You can download Preempt Lite here and verify which areas of your network are vulnerable.

This vulnerabilities and more will be presented by Preempt team (Yaron Zinar and Marina Simakov) at Black Hat USA 2019.

*** This is a Security Bloggers Network syndicated blog from Preempt Blog authored by Yaron Zinar. Read the original post at: