Cybersecurity researchers have discovered that the Microsoft Lively Listing Group Coverage that is designed to disable NT LAN Supervisor (NTLM) v1 will be trivially bypassed by a misconfiguration.
“A easy misconfiguration in on-premise purposes can override the Group Coverage, successfully negating the Group Coverage designed to cease NTLMv1 authentications,” Silverfort researcher Dor Segal stated in a report shared with The Hacker Information.
NTLM is a nonetheless extensively used mechanism significantly in Home windows environments to authenticate customers throughout a community. The legacy protocol, whereas not eliminated because of backward compatibility necessities, has been deprecated as of mid 2024.
Late final yr, Microsoft formally eliminated NTLMv1 beginning in Home windows 11, model 24H2, and Home windows Server 2025. Whereas NTLMv2 introduces new mitigations to make it more durable to carry out relay assaults, the know-how has been besieged by a number of safety weaknesses which were actively exploited by menace actors to entry delicate information.
In exploiting these flaws, the thought is to coerce a sufferer to authenticate to an arbitrary endpoint, or relay the authentication info in opposition to a prone goal and carry out malicious actions on behalf of the sufferer.
“The Group Coverage mechanism is Microsoft’s answer to disable NTLMv1 throughout the community,” Segal defined. “The LMCompatibilityLevel registry key prevents the Area Controllers from evaluating NTLMv1 messages and returns a mistaken password error (0xC000006A) when authenticating with NTLMv1.”
Nevertheless, Silverfort’s investigation discovered that it is potential to bypass the Group Coverage and nonetheless use NTLMv1 authentication by making the most of a setting within the Netlogon Distant Protocol (MS-NRPC).
Particularly, it leverages a information construction known as NETLOGON_LOGON_IDENTITY_INFO, which comprises a area named ParameterControl that, in flip, has a configuration to “Permit NTLMv1 authentication (MS-NLMP) when solely NTLMv2 (NTLM) is allowed.”
“This analysis reveals on-prem purposes will be configured to allow NTLMv1, negating the Highest Degree of the Group Coverage LAN Supervisor authentication stage set in Lively Listing,” Segal stated.
“That means, organizations assume they’re doing the proper factor by setting this group coverage, nevertheless it’s nonetheless being bypassed by the misconfigured software.”
To mitigate the danger posed by NTLMv1, it is important to allow audit logs for all NTLM authentication within the area and preserve a watch out for susceptible purposes that request purchasers to make use of NTLMv1 messages. It additionally goes with out saying that organizations are really helpful to maintain their techniques up-to-date.
The newest findings observe a report from safety researcher Haifei Li a couple of “zero-day conduct” in PDF artifacts uncovered within the wild that might leak native net-NTLM info when they’re opened with Adobe Reader or Foxit PDF Reader below sure situations. Foxit Software program has addressed the problem with model 2024.4 for Home windows.
The disclosure additionally comes as HN Safety researcher Alessandro Iandoli detailed how varied security measures in Home windows 11 (previous to model 24H2) may very well be bypassed to attain arbitrary code execution on the kernel stage.
