Security researchers at behavioral firewall specialist firm Preempt have discovered two critical security flaws in the Microsoft Windows NT LAN Manager (NTLM) security protocols which, if exploited, can allow attackers to crack passwords and compromise credentials from a targeted network.
The first vulnerability (CVE-2017-8563) was discovered in LDAP (Lightweight Directory Access Protocol) from NTLM relay while the second vulnerability targets widely used Remote Desktop Protocol (RDP) Restricted-Admin mode.
“Today’s threat landscape continues to expand, highlighting weaknesses in existing security protocols, and these two vulnerabilities are no different,” said Ajit Sancheti, CEO, and co-founder of Preempt.
“NTLM puts organizations and individuals at risk of credential forwarding and password cracking, and ultimately, illustrates why organizations must remain vigilant and ensure that their deployments are secure, especially when using legacy protocols like NTLM.”
In Windows, LDAP protects users against credential forwarding and Man-in-the-Middle (MitM) but because of the vulnerability LDAP does not protect the credential forwarding. Therefore it can allow attackers to create a domain admin account and gain full control over the attacked network.
As for the RDP, if you are a Windows user you may be aware of its functionality; it allows users to connect to a remote machine without volunteering their password to the remote machine that might be compromised. As a result, every attack performed with NTLM, such as credential relaying and password cracking, could be carried out against RDP Restricted-Admin.
Preempt has alerted Microsoft about the issue and as a result, a patch for the first vulnerability has been issued while for the second one Microsoft stated that it’s a known issue.
It is recommended to visit Preempt’s official blog post for more technical details and also watch the following demonstration video released by the security firm.
It is a fact that Windows is responsible for 80% of malware infections which is possible due to critical security flaws that are discovered in the operating system now and then. It was due to one of those vulnerabilities in SMB (Windows’ Server Message Block) Protocol that allowed attackers behind WannaCry ransomware to carry out their attack in more than 100 countries.