Near-Ubiquitous Critical Microsoft RCE Bugs Affect All Versions of Windows

silversurfer

silversurfer

Super Moderator
Thread author
Verified
Top Poster
Staff Member
Malware Hunter
Forum Veteran
Aug 17, 2014
12,726
123,827
8,399
Content source
https://threatpost.com/critical-microsoft-rce-bugs-windows/145572/
Two critical Microsoft vulnerabilities, CVE-2019-1040 and CVE-2019-1019, would allow attackers to remotely execute malicious code on any Windows machine or authenticate to any web server that supports Windows Integrated Authentication (WIA) such as Exchange or ADFS.

According to researchers at Preempt, who discovered the flaws, the two CVEs consist of three logical flaws in NTLM, the company’s proprietary authentication protocol. A successful exploit would allow an attacker to read all users’ emails; authenticate to any cloud resource that is controlled by ADFS; remotely execute code on any machine the victim has privileges on; and modify various network configuration to create backdoors.
Click to expand...
Three logical flaws are at the heart of the vulnerabilities.

The first has to do with the Message Integrity Code (MIC) field, which ensures that attackers do not tamper NTLM messages. According Preempt’s write-up on the flaw, the bypass allows attackers to remove the ‘MIC’ protection and modify various fields in the NTLM authentication flow, such as signing negotiation.

The second weakness is in the SMB Session Signing, which prevents attackers from relaying NTLM authentication messages to establish SMB and DCE/RPC sessions. This bypass, according to the analysis, enables attackers to relay NTLM authentication requests to any server in the domain, including domain controllers, while establishing a signed session to perform remote code execution. If the relayed authentication is of a privileged user, this means full domain compromise.

And finally, Enhanced Protection for Authentication (EPA) prevents attackers from relaying NTLM messages to TLS sessions has a flaw. The bypass here, as described, allows attackers to modify NTLM messages to generate legitimate channel binding information. This allows attackers to connect to various web servers using the attacked user’s privileges and perform operations such as reading the user’s emails (by relaying to OWA servers) or even connecting to cloud resources (by relaying to ADFS servers).
Click to expand...
 
  • Like
  • +Reputation
Reactions: Fel Grossi, Deletedmessiah, upnorth and 8 others
Dave Russo said:
Any suggestions on protection from these 3 flaws?
Click to expand...
After patching, the network administrators should make the recommended configuration changes, researchers said: These include turning on SMB Signing on all machines in the network; completely blocking the outdated version of the protocol, NTLMv1; enforcing LDAP signing and LDAPS channel binding on domain controllers; hardening all web servers (OWA, ADFS) to accept only requests with EPA; and removing NTLM where it is not needed.
Click to expand...
threatpost.com

Near-Ubiquitous Microsoft RCE Bugs Affect All Versions of Windows

The two CVEs allow bypasses to get around NTLM relay attack mitigations.
threatpost.com threatpost.com
It is important to understand that patching is not enough. In order to fully protect your servers from these type of NTLM relay attacks, you need to first enforce channel binding on all your servers. This task might be proven to be difficult since this needs to be done on every server (there is no group policy governing this feature). In addition, this vulnerability could be used to launch LDAPS relay attacks against domain controllers, similar to the ones discovered by Preempt in 2017. To prevent LDAPS relay attacks, channel binding must be enforced on all domain controllers.
Click to expand...
blog.preempt.com

Cybersecurity Latest Insights, Trends, and News | CrowdStrike Blog

The Crowdstrike Cybersecurity blog is home to exclusive endpoint, cloud, and threat intelligence trends, articles, and research. Learn and read more here!
blog.preempt.com blog.preempt.com
 
  • Like
Reactions: Fel Grossi, silversurfer, harlan4096 and 1 other person
upnorth said:
threatpost.com

Near-Ubiquitous Microsoft RCE Bugs Affect All Versions of Windows

The two CVEs allow bypasses to get around NTLM relay attack mitigations.
threatpost.com threatpost.com

blog.preempt.com

Cybersecurity Latest Insights, Trends, and News | CrowdStrike Blog

The Crowdstrike Cybersecurity blog is home to exclusive endpoint, cloud, and threat intelligence trends, articles, and research. Learn and read more here!
blog.preempt.com blog.preempt.com
Click to expand...
This sage advice is for corporate networks, servers, etc. Home users don't have much to worry about on modern versions of Windows.
 
  • Like
Reactions: Fel Grossi, silversurfer, LASER_oneXM and 1 other person
You must log in or register to reply here.

You may also like...