Researchers have earlier discovered a serious security vulnerability in Microsoft’s authentication protocol, NTLM, which was subsequently notified to Microsoft for repair. The vulnerability has been fixed by Microsoft’s routine update released this month, so researchers are now publishing details of the vulnerability.
NTLM is Microsoft’s widely used authentication protocol, but researchers have found that there are logical flaws in the protocol that lead to two critical vulnerabilities. The attacker exploits the vulnerability to execute arbitrary code and can also bypass Microsoft’s previous mitigations. In theory, all versions of Windows are affected.
Previously, Microsoft had introduced various mitigation measures for the authentication protocol. These mitigation measures can reduce the probability of security vulnerabilities being exploited and improve security. The message integrity code in the authentication protocol ensures that the attacker does not tamper with the message, but the bypass attack discovered by the researchers can delete the message. When the message integrity code is successfully deleted, it can be used to tamper with various fields in the authentication protocol. For example, the signature negotiation process can be tampered with.
At present, Microsoft has released an update to fix the above vulnerability, and the corresponding security bulletin can directly search for CVE-2019-1040 and CVE-2019-1019.
The latest news from researchers said that although Microsoft has released a security update to fix the above authentication protocol vulnerability, it is still not enough. Administrators also need to configure to ensure that NTLM is better protected. Of course, users must first install Microsoft’s cumulative update to fix the vulnerability.
In addition, administrators must enforce SMB signing. To prevent attackers from launching relay attacks, enabling SMB signing can effectively protect all computers. Enforce LDAP/S signatures, prevent NTLM relays in LDAP, enforce LDAP signatures and LDAPS tunnel bindings on domain controllers.