Microsoft has launched recent steering to organizations on methods to mitigate NTLM relay assaults by default, days after researchers reported discovering a NTLM hash disclosure zero-day in all variations of Home windows Workstation and Server, from Home windows 7 to present Home windows 11 variations.
Nonetheless, it was not instantly clear if the 2 developments are associated or purely coincidental by way of timing. In any occasion, the bug, which does not but have a CVE or CVSS rating, shouldn’t be anticipated to be patched for months.
Home windows NTLM Zero-Day Permits Credential Theft
Researchers from ACROS Safety reported discovering a zero-day bug in all supported Home windows variations. The bug permits an attacker to seize a consumer’s NTLM credentials just by getting the consumer to view a malicious file through the Home windows Explorer file administration utility.
“Opening a shared folder or USB disk with such file or viewing the Downloads folder the place such file was beforehand routinely downloaded from attacker’s Internet web page” is all it takes for credential compromise, Mitja Kolsek, CEO of ACROS Safety wrote in a weblog publish.
ACROS mentioned it could not launch any additional info on the bug till Microsoft has a repair for it. However Kolsek tells Darkish Studying that an attacker’s capacity to take advantage of the bug relies on numerous components.
“It is not straightforward to search out the place the problem is exploitable with out really attempting to take advantage of it,” he explains. Microsoft has assessed the vulnerability as being of reasonable or “Essential” severity, a designation that’s one notch decrease than “Crucial” severity bugs. The corporate plans to difficulty a repair for it in April, Kolsek says.
In an emailed remark, a Microsoft spokesman mentioned the corporate is “conscious of the report and can take motion as wanted to assist maintain prospects protected.”
The bug is the second NTLM credential leak zero-day that ACROS has reported to Microsoft since October. The earlier one concerned a Home windows Themes spoofing difficulty and allowed attackers a method to coerce sufferer gadgets into sending NTLM authentication hashes to attacker-controlled gadgets. Microsoft has not but issued a patch for that bug both.
The bugs are amongst a number of NTLM-related points which have surfaced in recent times together with PetitPotam, DFSCoerce, PrinterBug/SpoolSample, and, not too long ago, one affecting the open supply coverage enforcement engine.
Legacy Protocol Risks
Home windows NTLM (NT LAN Supervisor) is a legacy authentication protocol that Microsoft contains in trendy Home windows for backward compatibility functions. Attackers have continuously focused weaknesses within the protocol to intercept authentication requests and ahead or “relay” them to entry different servers or providers to which the unique customers have entry.
In its advisory this week, Microsoft described NTLM-relaying as a “fashionable assault methodology utilized by risk actors that enables for identification compromise.” The assaults contain coercing a sufferer to authenticate to an attacker-controlled endpoint and relaying the authentication in opposition to a weak goal server or service. The advisory pointed to vulnerabilities that attackers have used beforehand, comparable to CVE-2023-23397 in Outlook and CVE-2021-36942 in Home windows LSA, to take advantage of service that lack protections in opposition to NTLM-relaying assaults.
In response to such assaults, Microsoft has up to date earlier steering on methods to allow Prolonged Safety for Authentication (EPA) by default on LDAP, AD CS, and Alternate Server, the corporate mentioned. The most recent Home windows Server 2025 ships with EPA enabled by default for each AD CS and LDAP.
The advisory highlighted the necessity for organizations to allow EPA specifically for Alternate Server, given the “distinctive function that Alternate Server performs within the NTLM risk panorama.” The corporate pointed to CVE-2024-21413, CVE-2023-23397, and CVE-2023-36563 as examples of latest vulnerabilities that attackers have exploited for NTLM coercion functions. “Workplace paperwork and emails despatched via Outlook function efficient entry factors for attackers to take advantage of NTLM coercion vulnerabilities, given their capacity to embed UNC hyperlinks inside them,” the corporate says.
Kolsek says it is unclear if Microsoft’s recommendation for safeguarding in opposition to NTLM assaults has something to do together with his latest bug disclosure. “[But] if potential, observe Microsoft’s suggestions on mitigating NTLM-related vulnerabilities,” he says. “If not, take into account 0patch,” he provides, referring to the free micropatches that his firm supplies for vulnerabilities, particularly in older and not supported software program merchandise.
