On October 2019 Patch Tuesday, Microsoft released patches for CVE-2019-1166 and CVE-2019-1338, two serious vulnerabilities that may leading to a full Active Directory domain compromise.

Two researchers from Preempt,  Yaron Zinar and Marina Simakov, discovered two security vulnerabilities in Microsoft's NTLM authentication protocol that may allow attackers to bypass the MIC (Message Integrity Code) protection and downgrade NTLM security features leading, in some cases, cause full Active Directory domain compromise.

CVE-2019-1166: Windows NTLM Tampering Vulnerability

First vulnerability, CVE 2019-1166, allows attackers to bypass the MIC (Message Integrity Code) protection on NTLM authentication and thereby modify any field in the NTLM message flow, including the signing requirement:

This bypass allows attackers to relay authentication attempts which have successfully negotiated signing to another server, while tricking the server to entirely ignore the signing requirement. All servers that do not enforce signing are vulnerable to this attack.

Preempt Blog l DROP THE MIC 2: AD Open to More NTLM Attacks

CVE-2019-1338: Windows NTLM Security Feature Bypass Vulnerability

The second flaw, CVE 2019-1338, allows attackers to bypass the MIC protection, along with other NTLM relay mitigations such as Enhanced Protection for Authentication (EPA) and target SPN validation for certain old NTLM clients that are sending LMv2 challenge responses.

This attack allows attackers to use NTLM relay to successfully authenticate to critical servers such as OWA and ADFS and steal valuable user data.

Preempt Blog l DROP THE MIC 2: AD Open to More NTLM Attacks

Who is affected?

According with researchers:

All Active Directory customers with default configurations are vulnerable to such attacks. Moreover, organizations which do not block LM responses and have clients which still send these default responses are vulnerable to targeted attacks on these clients to bypass additional NTLM protections. Despite Kerberos being the more prevalent authentication protocol in most organizations, NTLM is still enabled and thus abused by attackers to exploit the vulnerabilities that we have described above. 

Preempt Blog l DROP THE MIC 2: AD Open to More NTLM Attacks

Mitigation suggestions

Researchers provides the following recommendations to protect networks with devices impacted by these vulnerabilities:

1. Enforce NTLM mitigations. In order to be fully protected from NTLM relay attacks you will need to enable server signing and EPA on all relevant servers.

2. Patch! Make sure your systems are fully protected with the latest security updates.

3. Apply advanced NTLM relay detection and prevention techniques similar to the ones disclosed by Preempt in our Black Hat 2019 talk (a free encore presentation can be found here).

4. Some NTLM clients use weak NTLM variations (e.g., don’t send a MIC). This puts your network at a greater risk of being vulnerable to NTLM relay. Monitor NTLM traffic in your network and try to restrict insecure NTLM traffic.

5. Get rid of clients sending LM responses and set the GPO Network security: LAN Manager authentication level to refuse LM responses.

6. NTLM is not recommended to use in general as it poses some security concerns:NTLM relay, brute forcing, and other vulnerabilities. You can read about general NTLM risks here. As a rule of thumb: try to reduce NTLM usage in your network as much as possible.

For more technical info, please refer to the post on Preempt's Blog.