Two vulnerabilities have been discovered in a very old security protocol used in Windows that could be used by an attacker to potentially relay credentials and crack passwords.
The flaw within the Microsoft Windows NT LAN Manager (NTLM) were discovered by researchers at Preempt. One vulnerability includes unprotected Lightweight Directory Access Protocol (LDAP) from NTLM relay, and the second discovery impacts Remote Desktop Protocol (RDP) Restricted-Admin mode.
The identified vulnerabilities can result in unauthorised credential use, risk of password cracking and potentially domain compromise.
The first issue is found in the LDAP relay within NTLM. LDAP signing protects against both Man-in-the-Middle (MitM) attacks and credential forwarding, but with this vulnerability, it does not protect against credential forwarding. As such, Windows protocols use the Windows Authentication API (SSPI), which allows downgrade of an authentication session to NTLM. As a result, every connection to an infected machine (SMB, WMI, SQL, HTTP) with a domain admin would result in the attacker creating a domain admin account and gaining full control over the attacked network.
In the second flaw, RDP Restricted-Admin Mode allows users to connect to a remote machine without volunteering their password to the remote machine that might be compromised. As a result, every attack performed with NTLM, such as credential relaying and password cracking, could be carried out against RDP Restricted-Admin.
Researchers said that each time an admin connects with protocols such as RDP Restricted-Admin, HTTP or File Share (SMB), an attacker could potentially create a rogue domain admin, demonstrating the significance of these findings in the NTLM security protocol.
The flaws were reported by the team to Microsoft in April this year. A patch for the flaws was released on 11 July.
In a blog post, Yaron Zinar of Preempt said that "to realize how severe this issue is, we need to realize all Windows protocols use the Windows Authentication API (SSPI) which allows downgrade of an authentication session to NTLM.”
"As a result, every connection to an infected machine (SMB, WMI, SQL, HTTP) with a domain admin would result in the attacker creating a domain admin account and getting full control over the attacked network."
Javvad Malik, security advocate at AlienVault, told SC Media UK that many old protocols or authentication methods like NTLM are still in use, primarily for backwards compatibility.
“The technology landscape is complex, with many inter-dependencies, so vendors will often leave older protocols in place so as not to inconvenience customers to the degree whereby products and process start to break down,” he said.
“Moving away from, or restricting NTLM (or similar outdated technology) isn't always straightforward. It needs to be understood and addressed from an architectural perspective, with consideration given to removing deprecated or insecure technologies.”
Tyler Reguly, manager of Software Development at Tripwire, told SC Media UK that it is worth calling attention to this vulnerability that allow for privilege escalation when falling back from Kerberos to NTLM authentication.
“After applying this patch to clients, an additional change must be made to the Domain Controller to actually mitigate the vulnerability. Without the patch, the mitigation will break authentication and without the mitigation the vulnerability will persist,” he said.