Two new vulnerabilities found in Windows NTLM security protocols
Researchers at behavioral firewall specialist Preempt have discovered two vulnerabilities within the Microsoft Windows NT LAN Manager (NTLM) security protocols.
The first involves unprotected Lightweight Directory Access Protocol (LDAP) from NTLM relay, and the second discovery impacts Remote Desktop Protocol (RDP) Restricted-Admin mode. Both vulnerabilities can result in unauthorized credential use, risk of password cracking and potentially domain compromise.
"Today's threat landscape continues to expand, highlighting weaknesses in existing security protocols, and these two vulnerabilities are no different," says Ajit Sancheti, CEO and co-founder of Preempt. "NTLM puts organizations and individuals at risk of credential forwarding and password cracking, and ultimately, illustrates why organizations must remain vigilant and ensure that their deployments are secure, especially when using legacy protocols like NTLM."
The LDAP vulnerability allows for credential forwarding which could result in the attacker creating a domain admin account and gaining full control over the attacked network. The RDP flaw means every attack performed with NTLM, such as credential relaying and password cracking, could also be carried out against an RDP Restricted-Admin protocol.
Microsoft has been alerted to both issues. For the first, a CVE has been issued (CVE-2017-8563) and a fix released, the second, Microsoft says is a 'known issue'.
You can find out more about the vulnerabilities and how to protect against them on the Preempt blog.