More details have emerged about a security feature bypass vulnerability in Windows NT LAN Manager (NTLM) that was addressed by Microsoft as part of its monthly Patch Tuesday updates earlier this month.
The flaw, tracked as CVE-2021-1678 (CVSS score 4.3), was described as a “remotely exploitable” flaw found in a vulnerable component bound to the network stack, although exact details of the flaw remained unknown.
Now according to researchers from Crowdstrike, the security bug, if left unpatched, could allow a bad actor to achieve remote code execution via an NTLM relay.
“This vulnerability allows an attacker to relay NTLM authentication sessions to an attacked machine, and use a printer spooler MSRPC interface to remotely execute code on the attacked machine,” the researchers said in a Friday advisory.
NTLM relay attacks are a kind of man-in-the-middle (MitM) attacks that typically permit attackers with access to a network to intercept legitimate authentication traffic between a client and a server and relay these validated authentication requests in order to access network services.
Successful exploits could also allow an adversary to remotely run code on a Windows machine or move laterally on the network to critical systems such as servers hosting domain controllers by reusing the NTLM credentials directed at the compromised server.
While such attacks can be thwarted by SMB and LDAP signing and turning on Enhanced Protection for Authentication (EPA), CVE-2021-1678 exploits a weakness in MSRPC (Microsoft Remote Procedure Call) that makes it vulnerable to a relay attack.
[출처 : 더해커뉴스 / 1.23.]