Experts Talk About RCE Vulnerability in Windows NT LAN Manager

Security researchers discussed the security feature bypass vulnerability in Windows NT LAN Manager (NTLM). A vulnerability (CVE-2021-1678) has been discovered in a component of the network stack and can be exploited remotely. According to researchers at Crowdstrike, an attacker could exploit the problem to remotely execute code through the NTLM relay.

“The vulnerability allows an attacker to relay NTLM authentication sessions to a specific computer and use the MSRPC interface of the printer's spooler to remotely execute code,” the experts explained.

NTLM relay attacks are a kind of MitM attacks that typically allow attackers with network access to intercept legitimate authentication traffic between a client and a server and relay those authenticated authentication requests to access network services.

Successful exploitation of the vulnerability also allows an attacker to remotely run code on a Windows-based computer or navigate the network to critical systems, such as servers with domain controllers, by reusing NTLM credentials.

Specifically, the researchers found that IRemoteWinspool (an RPC interface for remote control of the print spooler) can be used to perform a number of RPC operations and write arbitrary files on a computer using an intercepted NTLM session.

Microsoft said it has addressed the vulnerability by "increasing the RPC authentication level and introducing a new policy and registry key to allow clients to disable or enable server-side enforcement to increase authentication levels."

Previous Post Next Post