Security News > 2021 > January > CrowdStrike Discloses Details of Recently Patched Windows NTLM Vulnerability
One of the vulnerabilities that Microsoft addressed on January 2021 Patch Tuesday could allow an attacker to relay NTLM authentication sessions and then execute code remotely, using a printer spooler MSRPC interface.
Tracked as CVE-2021-1678, the vulnerability has been described by Microsoft as an NT LAN Manager security feature bypass, and is rated important for all affected Windows versions, namely, Windows Server, Server 2012 R2, Server 2008, Server 2016, Server 2019, RT 8.1, 8.1, 7, and 10.
In a blog post detailing the issue, CrowdStrike explains that NTLM relay attack methods are not uncommon, and that relaying NTLM authentications to another protocol is possible when required protections are not present.
Thus, an attacker able to establish an NTLM session with a target machine can bind to the IRemoteWinspool interface and select the weak authentication level, relay the NTLM authentication to the attacker's machine, and then execute RPC commands.
Microsoft patched the issue by adding appropriate checks to ensure that the authentication level of the client is not weak, and to reject calls in case it is.
"The Windows update addresses this vulnerability by increasing the RPC authentication level and introducing a new policy and registry key to allow customers to disable or enable Enforcement mode on the server-side to increase the authentication level," Microsoft notes in a support article.
News URL
Related Vulnerability
| DATE | CVE | VULNERABILITY TITLE | RISK |
|---|---|---|---|
| 2021-01-12 | CVE-2021-1678 | Unspecified vulnerability in Microsoft products Windows Print Spooler Spoofing Vulnerability | 8.8 |