CYBER NEWS

CVE 2019-1166, CVE-2019-1338 Allow Full Domain Compromise

CVE 2019-1166 and CVE-2019-1338 are two vulnerabilities in Microsoft’s NTLM authentication protocol which were discovered by Preempt researchers.

Fortunately, both flaws were patched by Microsoft in October 2019 Patch Tuesday. Attackers could exploit the flaws to achieve full domain compromise.




CVE 2019-1166

The CVE 2019-1166 vulnerability could enable attackers to bypass the MIC (Message Integrity Code) protection on NTLM authentication to modify any field in the NTLM message flow, including the signing requirement. This could further allow attackers to relay authentication attempts which have successfully negotiated signing to another server, while tricking the server to entirely ignore the signing requirement, Preempt researchers explained. All servers that do not enforce signing are vulnerable to this attack.

CVE 2019-1338

The CVE 2019-1338 vulnerability could allow attackers to evade the MIC protection, together with other NTLM relay mitigations, like Enhanced Protection for Authentication (EPA), and target SPN validation for certain old NTLM clients that are sending LMv2 challenge responses. The vulnerability can lead to attacks where NTLM relay is used to successfully authenticate to critical servers such as OWA and ADFS to steal valuable user data.

Related:
Two zero-day vulnerabilities were fixed in Microsoft?s September 2019 Patch Tuesday - CVE-2019-1214 and CVE-2019-1215, both exploited in the wild.
Microsoft Patches CVE-2019-1214, CVE-2019-1215 Zero-Day Flaws

It is noteworthy that the NTLM relay is one of the most prevalent attacks on the Active Directory infrastructure. Server signing and EPA (Enhanced Protection for Authentication) are considered the most crucial defense mechanisms against NTLM relay attacks. When these protections are strictly enforced, the network is protected from such attacks. However, since there are various reasons which can obstruct the implementation of these defenses, many networks are not protected efficiently.

As already mentioned, Microsoft already released the patches to address these two flaws in the October 2019 Patch Tuesday. The general advice to admins is to apply the patches, enforce NTLM mitigations (server signing and EPA), and apply NTLM relay detection and prevention techniques. Other important tips include monitoring NTLM traffic in their network and restricting insecure NTLM traffic, getting rid of clients sending LM responses, and attempting to reduce the use of NTLM in networks.

Milena Dimitrova

Milena Dimitrova

An inspired writer and content manager who has been with SensorsTechForum since the beginning. Focused on user privacy and malware development, she strongly believes in a world where cybersecurity plays a central role. If common sense makes no sense, she will be there to take notes. Those notes may later turn into articles! Follow Milena @Milenyim

More Posts

Follow Me:
Twitter

Leave a Comment

Your email address will not be published. Required fields are marked *

Time limit is exhausted. Please reload CAPTCHA.

Share on Facebook Share
Loading...
Share on Twitter Tweet
Loading...
Share on Google Plus Share
Loading...
Share on Linkedin Share
Loading...
Share on Digg Share
Share on Reddit Share
Loading...
Share on Stumbleupon Share
Loading...