Windows NTLM Zero-Day Vulnerability

By Bryce Briggles on July 14, 2017

What is it?

Microsoft released patches on Tuesday that fixed a serious privilege escalation vulnerability CVE-2017-8563 which affects all Windows operating systems released since 2007. Two NT Lan Manager (NTLM) zero-day vulnerabilities were discovered by researchers at Preempt that allow attackers to create domain admin accounts and control the entire domain. According to Preempt, 50-60% of all networks use an administrator account that connects to every system. In these types of relay attacks full domain admin privileges are not required to take over a network. All the attacker needs is enough privileges to create another account to cause serious damage.

The first vulnerability relates to unsecured Lightweight Directory Access Protocol (LDAP) from NTLM relay, and the second involves Remote Desktop Protocol (RDP) Restricted-Admin Mode. More details on these vulnerabilities can be found here and in the video below.

How can I protect myself?

NTLM puts your company at risk of password cracking and credential forwarding so it would be safest to disable it. However, many companies may not be able to avoid using NT Lan Manager, so here are a few other steps you can take to avoid being compromised:

  • It is recommended to quickly apply the patch to servers with NTLM enabled. Keep in mind these updates require a restart to take effect.
  • In order to prevent credential relay attacks you can require that incoming SMB and LDAP packets be digitally signed.
  • You can follow this guide to make LDAP authentication over SSL/TLS more secure.
  • Monitor NTLM network traffic and investigate any related suspicious activity.

Sources:
http://thehackernews.com/2017/07/windows-ntlm-security-flaw.html
https://blog.preempt.com/new-ldap-rdp-relay-vulnerabilities-in-ntlm
http://www.darkreading.com/vulnerabilities—threats/microsoft-patches-critical-zero-day-flaw-in-windows-security-protocol/d/d-id/1329332

Note: The purpose of the weekly executive summary is to provide useful information that a business or agency could use in both its cybersecurity and business strategies. In order for this website to serve the community we need to know your concerns and questions about (for example) proper safeguards for technology you’re looking into or what sets of compliance and governance policies would you need to operate a particular business. The CSCC openly invites you to send in your inquiries. We’ll have students research your issues and provide an analysis of the information at hand to guide you with all things cybersecurity. Mail us at: uhwocscc@hawaii.edu

Related Posts