This month, Microsoft released security patches, covering a number of critical flaws. Those include a privilege escalation vulnerability threatening all versions of Windows OS.
Specialists from Preempt, a behavioral firewall firm, found two zero-day vulnerabilities in Windows NT LAN Manager (NTLM) protocols. To ensure better protection for systems on a network, Kerberos has replaced NTLM in Windows 2000. However, Microsoft still fully supports the NTLM protocol.
Breaking down the vulnerabilities
One of the detected flaws had to do with Lightweight Directory Access Protocol (LDAP) from NTLM relay. Another one affected Remote Desktop Protocol (RDP) Restricted-Admin mode.
Ajit Sancheti, CEO and co-founder of Preempt, stated: “NTLM puts organizations and individuals at risk of credential forwarding and password cracking, and ultimately, illustrates why organizations must remain vigilant and ensure that their deployments are secure, especially when using legacy protocols like NTLM.”
LDAP primarily used to take care of credential forwarding as well as man-in-the-middle (MitM) attacks. Affected by the flaw, LDAP is no longer capable of protecting users from credential forwarding. Having SYSTEM privileges, an attacker would be able to run various LDAP operations as the NTLM user, including updating domain objects.
Speaking of the second flaw, RDP enables users to establish connection with a remote computer, while not giving away their password. Experts from Preempt noted that “RDP allows downgrade to NTLM in the authentication negotiation. This means that every attack you can perform with NTLM such as credential relaying and password cracking could be carried out against RDP Restricted-Admin.”
The flaws could potentially enable an attacker to get ahold of the entire domain through a fake domain administrator account.
In April, Preempt warned Microsoft about the threats. After acknowledging the LDAP flaw (CVE-2017-8563), Microsoft provided a proper patch for it. However, they left the second vulnerability hanging, saying it was a “known issue.” Instead, Microsoft recommended configuring a network in order to ensure protection against any NTLM relay.