Two security vulnerabilities in Microsoft's NTLM authentication protocol allow attackers to bypass the MIC (Message Integrity Code) protection and downgrade NTLM security features leading to full domain compromise.
Microsoft patched the two NTLM flaws and issued security advisories as part of the Patch Tuesday security updates issued yesterday after Preempt’s disclosure.
Preempt researchers Yaron Zinar and Marina Simakov discovered that attackers can exploit these flaws as part of NTLM relay attacks that may, in some cases, "cause full domain compromise of a network," with all Active Directory customers with default configurations being exposed.
The Windows NT (New Technology) LAN Manager (NTLM) authentication protocol was used for client/server authentication purposes to authenticate remote users, as well as to provide session security when requested by app protocols.
NTLM is superseded by Kerberos, now the default auth protocol for domain connected devices for all Windows versions above Windows 2000.
"Despite Kerberos being the more prevalent authentication protocol in most organizations, NTLM is still enabled and thus abused by attackers to exploit the vulnerabilities that we have described above," adds the Preempt advisory.
Tampering vulnerability impacts all in-support Windows versions
Preempt's research team was able to find flaws that could be abused by potential attackers to circumvent NTLM relay attack mitigations provided by Microsoft.
While Microsoft added a Message Integrity Code (MIC) field to block attackers from tampering with NTLM messages, Preempt's researchers found a bypass on NTLM authentication that allows att ..
Support the originator by clicking the read the rest link below.
