MS Patch Tuesday fixes 19 critical issues, including two NTLM zero-day flaws

The analysis published by Preempt also includes a video PoC for credential relay attacks.

The second NTLM vulnerability affects the RDP Restricted-Admin mode that allows users to access to a remote machine without providing their password.

According to Preempt researchers, the RDP Restricted-Admin allows authentication systems to downgrade to NTLM.

This means that it is possible to perform NTLM relay attacks and password cracking against the RDP Restricted-Admin.

“Preempt discovered that RDP Restricted-Admin, which is sometimes referred to (mistakenly) as Kerberosed RDP, allows downgrade to NT LAN Manager in the authentication negotiation. This means that every attack you can perform with NTLM such as credential relaying and password cracking could be carried out against RDP Restricted-Admin.” continues the analysis.

Chaining the two zero-days, an attacker could create a bogus domain admin account whenever an admin connects with RDP Restricted-Admin and get control of the entire domain.

The NTLM flaws have been reported to Microsoft in April, but the company only acknowledged a month later the NTLM LDAP vulnerability (tracked as CVE-2017-8563). Microsoft did not recognize RDP bug, the tech giant classified it as a “known issue” that could be solved with a proper configuration of the network.

Microsoft recommends companies running vulnerable servers with NT LAN Manager enabled to patch them as soon as possible.

Other mitigation actions are:

• turning NT LAN Manager off.
• requiring that incoming LDAP and SMB packets are digitally signed in order to prevent credential relay attacks.

Microsoft has released patches for 55 security vulnerabilities, including 19 critical issues, in its products, including Edge, Internet Explorer, Windows, Office and Office Services and Web Apps, .NET Framework, and Exchange Server.

[adorate banner=”9″]Pierluigi Paganini (Security Affairs – LDAP, NT LAN Manager hacking)

[adrotate banner=”13″]