Two critical vulnerabilities in Microsoft's NTLM authentication protocol consisting of three logical flaws make it possible for attackers to run remote code and authenticate on machines running any Windows version.

As Preempt's research team discovered, threat actors can "remotely execute malicious code on any Windows machine or authenticate to any web server that supports Windows Integrated Authentication (WIA) such as Exchange or ADFS."

The Windows NTLM (short for NT LAN Manager) Authentication Protocol is used for client/server authentication purposes to authenticate remote users and to provide session security when requested by application protocols.

The NTLM flaws unearthed by Preempt

While Microsoft provides mitigations to block NTLM relay attacks, Preempt's research team was able to find several flaws in Redmond's mitigations that could be exploited by potential attackers.

Microsoft added a Message Integrity Code (MIC) field designed to guarantee that attackers cannot tamper with NTLM messages in any way. However, the Preempt researchers found a bypass which enables attackers to remove the 'MIC' protection and alter various NTLM authentication flow fields, such as the signing negotiation.

The SMB Session Signing implemented by Redmond to block "attackers from relaying NTLM authentication messages to establish SMB and DCE/RPC sessions" was also bypassed by the researchers.

The bypass they found allows "attackers to relay NTLM authentication requests to any server in the domain, including domain controllers, while establishing a signed session to perform remote code execution."

The worst part is that if the malicious actors manage to relay the authentication of a privileged user, the attack can lead to the entire domain being compromised.

NTLM relay basic flow (Image: Preempt)

Last but not least, while Enhanced Protection for Authentication (EPA) was designed to stop potential attackers from "relaying NTLM messages to TLS sessions," Preempt's research team unearthed another bypass which will enable bad actors to alter "NTLM messages to generate legitimate channel binding information."

This makes it possible for them to authenticate to various Windows web servers with the compromised user’s privileges to "read the user’s emails (by relaying to OWA servers) or even connect to cloud resources (by relaying to ADFS servers)."

Security patches and previous NTLM flaws

"Even though NTLM Relay is an old technique, enterprises cannot completely eliminate the use of the protocol as it will break many applications. Hence it still poses a significant risk to enterprises, especially with new vulnerabilities discovered constantly," said Preempt's Chief Technology Officer and Co-Founder Roman Blachman.

Following Preempt’s responsible disclosure of the vulnerabilities found in NTLM, Microsoft has issued security advisories and patches for the CVE-2019-1040 Windows NTLM Tampering Vulnerability and the CVE-2019-1019 Microsoft Windows Security Feature Bypass Vulnerability as part of the Patch Tuesday updates published today.

The vulnerabilities discovered by Preempt will be presented by Yaron Zinar and Marina Simakov during the Black Hat USA 2019 computer security conference. Preempt provides more details on these flaws on the company's security advisory blog.

This is not the first time Preempt's researchers discovered vulnerabilities impacting Microsoft's Windows NT LAN Manager (NTLM) Authentication Protocol with multiple flaws fixed by Microsoft during July 2017 Patch Tuesday allows attackers to create admin accounts on a local network's domain controller (DC).