Preempt Researchers Find Two Critical Vulnerabilities in Microsoft NTLM Allowing Malicious Remote Code Execution on any Windows Machine
Three flaws in Microsoft’s proprietary authentication protocol give attackers the ability to bypass all NTLM protection mechanisms
SAN FRANCISCO, June 11, 2019 (GLOBE NEWSWIRE) -- Preempt, the leading provider of conditional access for real-time threat prevention, today announced its research team found two critical Microsoft vulnerabilities that consist of three logical flaws in NTLM, the company’s proprietary authentication protocol. These vulnerabilities allow attackers to remotely execute malicious code on any Windows machine or authenticate to any web server that supports Windows Integrated Authentication (WIA) such as Exchange or ADFS. The research shows that all Windows versions are vulnerable.
NTLM is susceptible to relay attacks, which allows actors to capture an authentication and relay it to another server, granting them the ability to perform operations on the remote server using the authenticated user’s privileges. NTLM Relay is one of the most common attack techniques used in Active Directory environments, where the attacker compromises one machine, then moves laterally to other machines by using NTLM authentication directed at the compromised server.
Microsoft previously developed several mitigations for preventing NTLM relay attacks. Preempt researchers discovered those mitigations have the following flaws which can be exploited by attackers:
- The Message Integrity Code (MIC) field ensures that attackers do not tamper NTLM messages. The bypass discovered by Preempt researchers allows attackers to remove the ‘MIC’ protection and modify various fields in the NTLM authentication flow, such as signing negotiation.
- SMB Session Signing prevents attackers from relaying NTLM authentication messages to establish SMB and DCE/RPC sessions. The bypass discovered by Preempt researchers enables attackers to relay NTLM authentication requests to any server in the domain, including domain controllers, while establishing a signed session to perform remote code execution. If the relayed authentication is of a privileged user, this means full domain compromise.
- Enhanced Protection for Authentication (EPA) prevents attackers from relaying NTLM messages to TLS sessions. The bypass discovered by Preempt researchers allows attackers to modify NTLM messages to generate legitimate channel binding information. This allows attackers to connect to various web servers using the attacked user’s privileges and perform operations such as: read the user’s emails (by relaying to OWA servers) or even connect to cloud resources (by relaying to ADFS servers).
To see more details on the reported risks of these flaws, please visit Preempt’s security advisory blog here.
“Even though NTLM Relay is an old technique, enterprises cannot completely eliminate the use of the protocol as it will break many applications. Hence it still poses a significant risk to enterprises, especially with new vulnerabilities discovered constantly,” stated Roman Blachman, Chief Technology Officer and Co-Founder at Preempt, “Companies need to first and foremost ensure all of their Windows systems are patched and securely configured. In addition, organizations can further protect their environments by gaining network NTLM visibility. Preempt works with its customers to ensure they have this visibility and the best protection possible.”
For organizations to protect themselves from these vulnerabilities they must:
- Patch - Make sure that workstations and servers are properly patched. However, it is important to note that patching alone is not enough, companies also need to make configuration changes in order to be fully protected.
- Enforce SMB Signing - To prevent attackers from launching simpler NTLM relay attacks, turn on SMB Signing on all machines in the network.
- Block NTLMv1 - Since NTLMv1 is considered significantly less secure; it is recommended to completely block it by setting the appropriate GPO.
- Enforce LDAP/S Signing - To prevent NTLM relay in LDAP, enforce LDAP signing and LDAPS channel binding on domain controllers.
- Enforce EPA - To prevent NTLM relay on web servers, harden all web servers (OWA, ADFS) to accept only requests with EPA.
- Reduce NTLM usage – Even with fully secured configuration and patched servers, NTLM poses a significantly greater risk than Kerberos. It is recommended that you remove NTLM where it is not needed.
Preempt’s customers already have protections against NTLM vulnerabilities. The Preempt Platform provides full network NTLM visibility, allowing organizations to reduce NTLM traffic and analyze suspicious NTLM activity. In addition, Preempt has an innovative industry-first deterministic NTLM relay detection capabilities and has the ability to inspect all GPO configurations and will alert on insecure configurations. This configuration inspection is also available in Preempt Lite, a free lightweight version of the Preempt Platform. Organizations can download Preempt Lite here and verify which areas of their network are vulnerable.
This vulnerabilities and more will be presented by Preempt researchers Yaron Zinar and Marina Simakov at Black Hat USA 2019.
As of June 11, 2019, Microsoft has issued CVE-2019-1040 and CVE-2019-1019 on Patch Tuesday per Preempt’s responsible disclosure of the NTLM vulnerabilities.
Preempt delivers a modern approach to authentication and securing identity in the enterprise. Using patented technology for Conditional Access, Preempt helps enterprises optimize identity hygiene and stop attacks in real-time before they impact business. Preempt continuously detects and preempts threats based on identity, behavior, and risk across all cloud and on-premises authentication & access platforms. This low friction approach empowers security teams more visibility & control over accounts and privileged access, while achieving compliance and auto-resolving incidents. Learn more: www.preempt.com.
For More Info:
One Liberty Plaza - 165 Broadway
NY 10006 New York
GlobeNewswire is one of the world's largest newswire distribution networks, specializing in the delivery of corporate press releases financial disclosures and multimedia content to the media, investment community, individual investors and the general public.
Subscribe to releases from GlobeNewswire
Subscribe to all the latest releases from GlobeNewswire by registering your e-mail address below. You can unsubscribe at any time.
Latest releases from GlobeNewswire
Standard & Poor’s has affirmed Arion Bank’s long term credit rating BBB+ but revised the outlook from stable to negative23.7.2019 20:32:00 CEST | Press release
Standard & Poor’s has affirmed Arion Bank’s long term credit rating BBB+ but revised the outlook from stable to negative. The Bank’s short term credit rating remains A-2. Main comments from Standard & Poor’s: The affirmation of the bank’s ratings reflects that Arion Bank maintains a solid market position in Iceland, with relatively advanced digitalized banking platforms while its exceptional capitalization counterbalances it’s geographic and loan book concentrations. Standard & Poor’s see Arion Bank as being well ahead of many other European banks in its preparation for technological disruption In a fiercely competitive environment, no longer supported by a strong economy, Icelandic banks' business prospects and earnings have become weaker. Furthermore, the role of pension funds in lending distorts Icelandic banks' competitive environment in terms of business generation and margins. Therefore it is seen as a negative trend for industry risk. Overall, economic risks for Icelandic banks
All Regulatory Clearances for Saxo Bank and BinckBank obtained to close the Offer23.7.2019 18:20:00 CEST | Press release
This is a joint press release by BinckBank N.V. (BinckBank), Star Bidco B.V. (the Offeror) and Saxo Bank A/S (Saxo Bank, pursuant to Section 4, paragraph 3 of the Dutch decree on public takeover bids (Besluit openbare biedingen Wft) in connection with the recommended public offer by the Offeror for all the issued and outstanding ordinary and priority shares in the capital of BinckBank (the Offer). This announcement does not constitute an offer, or any solicitation of any offer, to buy or subscribe for any securities. Any offer will be made only by means of the Offer Memorandum dated 12 March 2019 (the Offer Memorandum). This announcement is not for release, publication or distribution, in whole or in part, in or into, directly or indirectly, the United States or Canada or in any other jurisdiction in which such release, publication or distribution would be unlawful. Terms not defined in this press release will have the meaning as set forth in the Offer Memorandum. All Regulatory Cleara
Golar LNG Partners LP Cash Distributions23.7.2019 18:13:00 CEST | Press release
Golar LNG Partners LP (“the Partnership”) (NASDAQ: GMLP) announced today that its board of directors has approved a quarterly cash distribution with respect to the quarter ended June 30, 2019 of $0.4042 per common and general partner unit. This cash distribution will be paid on August 14, 2019 to all common and general partner unitholders of record as of the close of business on August 7, 2019. A cash distribution of $0.546875 per Series A preferred unit (NASDAQ: GMLPP) for the period from May 15, 2019 through August 14, 2019 has also been declared. This will be payable on August 15, 2019 to all Series A preferred unitholders of record as at August 8, 2019. Golar LNG Partners LP Hamilton, Bermuda July 23, 2019 This information is subject to the disclosure requirements pursuant to Section 5-12 the Norwegian Securities Trading Act
EUROCOMMERCIAL PROPERTIES N.V. TRANSACTIONS BUYBACK PROGRAMME23.7.2019 18:05:00 CEST | Press release
Date: 23 July 2019 Release: After close of business Euronext Please open the following link to read the full report including annexes: Attachment Full press release
ASM INTERNATIONAL N.V. REPORTS SECOND QUARTER 2019 RESULTS23.7.2019 18:00:00 CEST | Press release
Almere, The Netherlands July 23, 2019, 6 p.m. CET ASM INTERNATIONAL N.V. REPORTS SECOND QUARTER 2019 RESULTS ASM International N.V. (Euronext Amsterdam: ASM) today reports its second quarter 2019 operating results (unaudited) in accordance with IFRS. FINANCIAL HIGHLIGHTS EUR million Q2 2018 Q1 2019 Q2 2019 New orders 175.9 235.0 373.1 Net sales 208.7 248.8 363.3 Gross profit margin % 42.1 % 41.3 % 59.0 % Operating result 38.3 47.0 150.2 Result from investments (excluding amortization intangible assets resulting from the sale of ASMPT stake in 2013) 21.6 3.1 2.0 Amortization intangible assets (resulting from the sale of ASMPT stake in 2013) (3.0 ) (3.4 ) (3.4 ) Net earnings 59.4 49.4 121.6 Normalized net earnings (excluding amortization intangible assets resulting from the sale of ASMPT stake in 2013 and result from sale of ASMPT shares) 62.4 52.8 125.0 • New orders were €373 million. Excluding €103 million related to the patent litigation settlement new orders were €270 million. • Net
Banks net position in the Riksbank23.7.2019 16:40:00 CEST | Press release
Jul 23, 2019 SEK MILLION LENDING BORROWING 271