Ghost of NTLM still haunts Microsoft: Aged protocol hole patched
Authentication system gets fixed up today to limp onward
Computer security biz Preempt warned last October that Microsoft NT LAN Manager (NTLM) should be avoided. On Tuesday, it plans to support its assessment by going public with details of two vulnerabilities.
NTLM is an old authentication protocol. Though it was replaced by Kerberos in Windows 2000, Microsoft has not removed the code and it continues to be used.
As Preempt describes it, NTLM has weak encryption, weak nonces, no multi-factor authentication, and no mutual authentication, making it susceptible to replay and man-in-the-middle attacks.
"NTLM is risky and should be used with caution (if not totally restricted) in your organization's network," said Yaron Zinar, a security researcher at Preempt, in a blog post last year.
In April, Preempt contacted Microsoft to alert the company to LDAP and RDP Relay vulnerabilities in NTLM.
LDAP, it seems, fails to adequately protect against credential forwarding.
"This allows an attacker with SYSTEM privileges on a machine to use any incoming NTLM session and perform the LDAP operations on behalf of the NTLM user," said Zinar in a blog post provided in advance to The Register. "To realize how severe this issue is, we need to realize all Windows protocols use the Windows Authentication API (SSPI), which allows downgrade of an authentication session to NTLM."
Preempt also finds fault with RDP Restricted Admin, which offers administrators a way to connect to remote systems without exposing credentials. The security biz discovered that this particular mode allows downgrading to NTLM for authentication negotiation.
So in theory, credential relaying and password cracking attacks on NTLM can be carried out against RDP Restricted Admin. And in conjunction with the LDAP relay flaw, an attacker could create a rogue domain admin whenever an admin utilized RDP Restricted Admin.
Microsoft acknowledged the NTLM LDAP flaw in May, giving it CVE-2017-8563, and dismissed the RDP flaw by telling Preempt it represents "a known issue."
The Windows giant plans to issue a fix on Tuesday as part of its regularly scheduled patch routine. ®