CVE 2019-1166 and CVE-2019-1338 are two vulnerabilities in Microsoft’s NTLM authentication protocol which were discovered by Preempt researchers.
Fortunately, both flaws were patched by Microsoft in October 2019 Patch Tuesday. Attackers could exploit the flaws to achieve full domain compromise.
The CVE 2019-1166 vulnerability could enable attackers to bypass the MIC (Message Integrity Code) protection on NTLM authentication to modify any field in the NTLM message flow, including the signing requirement. This could further allow attackers to relay authentication attempts which have successfully negotiated signing to another server, while tricking the server to entirely ignore the signing requirement, Preempt researchers explained. All servers that do not enforce signing are vulnerable to this attack.
The CVE 2019-1338 vulnerability could allow attackers to evade the MIC protection, together with other NTLM relay mitigations, like Enhanced Protection for Authentication (EPA), and target SPN validation for certain old NTLM clients that are sending LMv2 challenge responses. The vulnerability can lead to attacks where NTLM relay is used to successfully authenticate to critical servers such as OWA and ADFS to steal valuable user data.
It is noteworthy that the NTLM relay is one of the most prevalent attacks on the Active Directory infrastructure. Server signing and EPA (Enhanced Protection for Authentication) are considered the most crucial defense mechanisms against NTLM relay attacks. When these protections are strictly enforced, the network is protected from such attacks. However, since there are various reasons which can obstruct the implementation of these defenses, many networks are not protected efficiently.
As already mentioned, Microsoft already released the patches to address these two flaws in the October 2019 Patch Tuesday. The general advice to admins is to apply the patches, enforce NTLM mitigations (server signing and EPA), and apply NTLM relay detection and prevention techniques. Other important tips include monitoring NTLM traffic in their network and restricting insecure NTLM traffic, getting rid of clients sending LM responses, and attempting to reduce the use of NTLM in networks.