Preempt Uncovers Vulnerabilities in Microsoft Windows' NTLM Security Protocol


SAN FRANCISCO, CA--(Marketwired - Jul 11, 2017) - Preempt, pioneer of the industry's first behavioral firewall, today announced its research team has uncovered two vulnerabilities within the Microsoft Windows NT LAN Manager (NTLM) security protocols. One vulnerability includes unprotected Lightweight Directory Access Protocol (LDAP) from NTLM relay, and the second discovery impacts Remote Desktop Protocol (RDP) Restricted-Admin mode. The identified vulnerabilities can result in unauthorized credential use, risk of password cracking and potentially domain compromise.
In April 2017, the Preempt research team -- led by CTO and Co-founder Roman Blachman, with Yaron Zinar and Eyal Karni -- reported two vulnerabilities on two different protocols handling NTLM, the suite of Microsoft security protocols that enables authentication, integrity and confidentiality for users. These vulnerabilities highlight the risk of NTLM running on Microsoft Windows.

"Today's threat landscape continues to expand, highlighting weaknesses in existing security protocols, and these two vulnerabilities are no different," said Ajit Sancheti, CEO and co-founder of Preempt. "NTLM puts organizations and individuals at risk of credential forwarding and password cracking, and ultimately, illustrates why organizations must remain vigilant and ensure that their deployments are secure, especially when using legacy protocols like NTLM."

Vulnerability 1: LDAP Relay (CVE-2017-8563)

  • LDAP signing protects against both Man-in-the-Middle (MitM) attacks and credential forwarding, but with this vulnerability, it does not protect against credential forwarding. As such, Windows protocols use the Windows Authentication API (SSPI), which allows downgrade of an authentication session to NTLM. As a result, every connection to an infected machine (SMB, WMI, SQL, HTTP) with a domain admin would result in the attacker creating a domain admin account and gaining full control over the attacked network.

Vulnerability 2: RDP Relay

  • RDP Restricted-Admin Mode allows users to connect to a remote machine without volunteering their password to the remote machine that might be compromised. As a result, every attack performed with NTLM, such as credential relaying and password cracking, could be carried out against RDP Restricted-Admin.

Each time an admin connects with protocols such as RDP Restricted-Admin, HTTP or File Share (SMB), an attacker could potentially create a rogue domain admin, demonstrating the significance of these findings in the NTLM security protocol.

As of July 11, 2017, Microsoft has issued a patch per Preempt's responsible disclosure of the LDAP Relay vulnerability. To see more details on the reported risks, please visit Preempt's blog here.

Additional Video Resources:

About Preempt
Preempt protects organizations from insider threats by responding in real-time to suspicious behavior in order to stop malicious threats and validate legitimate activities. Preempt's adaptive and policy-based approach ensures that proper level of response is used based on the type and severity of threat. This proactive approach allows organizations to eliminate their insider threat problem and maintain business continuity without engaging already overwhelmed security teams. The company is headquartered in San Francisco, CA. Learn more about us at www.preempt.com.

All product names, logos, and brands are property of their respective owners.

Contact Information:

Media Contact
Jim Dvorak
Kulesa Faul for Preempt
(415) 735-1622