Near-Ubiquitous Critical Microsoft RCE Bugs Affect All Versions of Windows

silversurfer

silversurfer

Level 85
Thread author
Verified
Honorary Member
Top Poster
Content Creator
Malware Hunter
Well-known
Aug 17, 2014
10,148
Content source
https://threatpost.com/critical-microsoft-rce-bugs-windows/145572/
Two critical Microsoft vulnerabilities, CVE-2019-1040 and CVE-2019-1019, would allow attackers to remotely execute malicious code on any Windows machine or authenticate to any web server that supports Windows Integrated Authentication (WIA) such as Exchange or ADFS.

According to researchers at Preempt, who discovered the flaws, the two CVEs consist of three logical flaws in NTLM, the company’s proprietary authentication protocol. A successful exploit would allow an attacker to read all users’ emails; authenticate to any cloud resource that is controlled by ADFS; remotely execute code on any machine the victim has privileges on; and modify various network configuration to create backdoors.
Click to expand...
Three logical flaws are at the heart of the vulnerabilities.

The first has to do with the Message Integrity Code (MIC) field, which ensures that attackers do not tamper NTLM messages. According Preempt’s write-up on the flaw, the bypass allows attackers to remove the ‘MIC’ protection and modify various fields in the NTLM authentication flow, such as signing negotiation.

The second weakness is in the SMB Session Signing, which prevents attackers from relaying NTLM authentication messages to establish SMB and DCE/RPC sessions. This bypass, according to the analysis, enables attackers to relay NTLM authentication requests to any server in the domain, including domain controllers, while establishing a signed session to perform remote code execution. If the relayed authentication is of a privileged user, this means full domain compromise.

And finally, Enhanced Protection for Authentication (EPA) prevents attackers from relaying NTLM messages to TLS sessions has a flaw. The bypass here, as described, allows attackers to modify NTLM messages to generate legitimate channel binding information. This allows attackers to connect to various web servers using the attacked user’s privileges and perform operations such as reading the user’s emails (by relaying to OWA servers) or even connecting to cloud resources (by relaying to ADFS servers).
Click to expand...
 
  • Like
  • +Reputation
Reactions: Fel Grossi, Deletedmessiah, upnorth and 8 others
upnorth

upnorth

Moderator
Verified
Staff Member
Malware Hunter
Well-known
Jul 27, 2015
5,459
Dave Russo said:
Any suggestions on protection from these 3 flaws?
Click to expand...
After patching, the network administrators should make the recommended configuration changes, researchers said: These include turning on SMB Signing on all machines in the network; completely blocking the outdated version of the protocol, NTLMv1; enforcing LDAP signing and LDAPS channel binding on domain controllers; hardening all web servers (OWA, ADFS) to accept only requests with EPA; and removing NTLM where it is not needed.
Click to expand...
threatpost.com

Near-Ubiquitous Microsoft RCE Bugs Affect All Versions of Windows

The two CVEs allow bypasses to get around NTLM relay attack mitigations.
threatpost.com threatpost.com
It is important to understand that patching is not enough. In order to fully protect your servers from these type of NTLM relay attacks, you need to first enforce channel binding on all your servers. This task might be proven to be difficult since this needs to be done on every server (there is no group policy governing this feature). In addition, this vulnerability could be used to launch LDAPS relay attacks against domain controllers, similar to the ones discovered by Preempt in 2017. To prevent LDAPS relay attacks, channel binding must be enforced on all domain controllers.
Click to expand...
blog.preempt.com

Cybersecurity Latest Insights, Trends, and News | CrowdStrike Blog

The Crowdstrike Cybersecurity blog is home to exclusive endpoint, cloud, and threat intelligence trends, articles, and research. Learn and read more here!
blog.preempt.com blog.preempt.com
 
  • Like
Reactions: Fel Grossi, silversurfer, harlan4096 and 1 other person
shmu26

shmu26

Level 85
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Jul 3, 2015
8,153
upnorth said:
threatpost.com

Near-Ubiquitous Microsoft RCE Bugs Affect All Versions of Windows

The two CVEs allow bypasses to get around NTLM relay attack mitigations.
threatpost.com threatpost.com

blog.preempt.com

Cybersecurity Latest Insights, Trends, and News | CrowdStrike Blog

The Crowdstrike Cybersecurity blog is home to exclusive endpoint, cloud, and threat intelligence trends, articles, and research. Learn and read more here!
blog.preempt.com blog.preempt.com
Click to expand...
This sage advice is for corporate networks, servers, etc. Home users don't have much to worry about on modern versions of Windows.
 
  • Like
Reactions: Fel Grossi, silversurfer, LASER_oneXM and 1 other person
You must log in or register to reply here.

Similar threads

CyberTech
    • +Reputation
Security News Veeam warns of critical bugs in Veeam ONE monitoring platform
Replies
0
Views
1,076
Security News
CyberTech
CyberTech
T
    • Like
2FA is over. Long live 3FA!
Replies
11
Views
1,067
News Archive
TedCruz
T
Gandalf_The_Grey
    • Like
    • Thanks
Microsoft May 2022 Patch Tuesday fixes 3 zero-days, 75 flaws
Replies
29
Views
2,837
News Archive
Local Host
L

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

Quick Navigation

Forum Rules Warning System Welcome Guide Two-factor Authentication

User Menu

Login

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top