Loading, Please Wait...
SAN FRANCISCO, June 11, 2019 (GLOBE NEWSWIRE) -- Preempt, the leading provider of conditional access for real-time threat prevention, today announced its research team found two critical Microsoft vulnerabilities that consist of three logical flaws in NTLM, the company’s proprietary authentication protocol. These vulnerabilities allow attackers to remotely execute malicious code on any Windows machine or authenticate to any web server that supports Windows Integrated Authentication (WIA) such as Exchange or ADFS. The research shows that all Windows versions are vulnerable.
NTLM is susceptible to relay attacks, which allows actors to capture an authentication and relay it to another server, granting them the ability to perform operations on the remote server using the authenticated user’s privileges. NTLM Relay is one of the most common attack techniques used in Active Directory environments, where the attacker compromises one machine, then moves laterally to other machines by using NTLM authentication directed at the compromised server.
Microsoft previously developed several mitigations for preventing NTLM relay attacks. Preempt researchers discovered those mitigations have the following flaws which can be exploited by attackers:
To see more details on the reported risks of these flaws, please visit Preempt’s security advisory blog here.
“Even though NTLM Relay is an old technique, enterprises cannot completely eliminate the use of the protocol as it will break many applications. Hence it still poses a significant risk to enterprises, especially with new vulnerabilities discovered constantly,” stated Roman Blachman, Chief Technology Officer and Co-Founder at Preempt, “Companies need to first and foremost ensure all of their Windows systems are patched and securely configured. In addition, organizations can further protect their environments by gaining network NTLM visibility. Preempt works with its customers to ensure they have this visibility and the best protection possible.”
For organizations to protect themselves from these vulnerabilities they must:
Preempt’s customers already have protections against NTLM vulnerabilities. The Preempt Platform provides full network NTLM visibility, allowing organizations to reduce NTLM traffic and analyze suspicious NTLM activity. In addition, Preempt has an innovative industry-first deterministic NTLM relay detection capabilities and has the ability to inspect all GPO configurations and will alert on insecure configurations. This configuration inspection is also available in Preempt Lite, a free lightweight version of the Preempt Platform. Organizations can download Preempt Lite here and verify which areas of their network are vulnerable.
This vulnerabilities and more will be presented by Preempt researchers Yaron Zinar and Marina Simakov at Black Hat USA 2019.
As of June 11, 2019, Microsoft has issued CVE-2019-1040 and CVE-2019-1019 on Patch Tuesday per Preempt’s responsible disclosure of the NTLM vulnerabilities.
Preempt delivers a modern approach to authentication and securing identity in the enterprise. Using patented technology for Conditional Access, Preempt helps enterprises optimize identity hygiene and stop attacks in real-time before they impact business. Preempt continuously detects and preempts threats based on identity, behavior, and risk across all cloud and on-premises authentication & access platforms. This low friction approach empowers security teams more visibility & control over accounts and privileged access, while achieving compliance and auto-resolving incidents. Learn more: www.preempt.com.
For More Info: