It is reported that NTLM Relay is one of the most commonly used attack technologies in the Active Directory environment.althoughMicrosoftSeveral mitigations to mitigate NTLM relay attacks have been developed previously, but Preempt researchers have found that they still have hidden dangers:
• The Message Integrity Code (MIC) field ensures that an attacker does not tamper with NTLM messages, but researchers have discovered a bypass attack that removes the protection of the MIC and modifies various fields in the NTLM authentication process, such as signature negotiation.
● SMB session signing prevents an attacker from forwarding NTLM authentication messages to establish SMB and DCE / RPC sessions, but bypass attacks can still relay NTLM authentication requests to any domain in the domainserver(including the domain controller), while establishing a signature session to execute the remote code. If relay authentication is a privileged user, it will cause damage to the entire domain.
● Enhanced Authentication Protection (EPA) prevents attackers from forwarding NTLM messages to TLS sessions, but an attacker can still bypass and modify NTLM messages to generate legitimate channel binding information. This allows an attacker to connect to various Web services with user privileges and perform various operations such as reading user email (by relaying to an OWA server) or even connecting to cloud resources (by relaying to an ADFS server).
Preempt responsibly disclosed the above vulnerability to Microsoft Corporation.The latter released the CVE-2019-1040 and CVE-2019-1019 patches on Tuesday to address these issues.
However, Preempt warns that this is not enough to adequately address the security implications of NTLM Relay, as administrators also need to make changes to certain configurations to ensure effective protection.
Here are the suggested actions for the administrator:
(1) Execute the patch - Make sure that the workstation and server are patched as needed.
(2) Force SMB signing, placing an attacker to initiate a simpler NTLM relay attack, be sure to enable SMB signing on all computers in the network.
(3) Shield NTLMv1 - This version is quite insecure and is recommended to be completely banned by appropriate group policies.
(4) Enforce LDAP / S signing - To prevent NTLM relay in LDAP, enforce LDAP signing and LDAPS channel bonding on the domain controller.
(5) Implementation EPA - To prevent NTLM relay on the web server, strengthen all web servers (OWA / ADFS) and only accept requests using EPA.
(6) Reduce the use of NTLM - Because even with a complete security configuration, NTLM will bring greater security risks than Kerberos, it is recommended to completely abandon in unnecessary environments.