A New Recently Discovered Windows Vulnerability, Remotely Exploitable, Specialists Explain
A vulnerability of security feature bypass, in Windows NT LAN Manager (NTLM) which was pointed out by Microsoft, earlier in the month, in its monthly Patch updates on Tuesday, has received updates regarding more details about the vulnerability. The vulnerability has been registered as the CVE-2021-1678 and had a 4.3 of CVSS (Common Vulnerability Scoring System) score.
However, the point details of the vulnerability haven’t been revealed, it has been made clear that the vulnerability is being described as remotely exploitable and has been discovered in an exploitable piece attached to the network stack. If the security flaw would have remained unpatched, it could have allowed the threat actors to use an NTM relay and perform RCE (Remote Code Execution), explained by the Crowdstrike researchers.
The researchers from Crowdstrike stated “on Patch Tuesday, January 12, 2021, Microsoft released a patch for CVE-2021-1678, an important vulnerability discovered by CrowdStrike researchers. This vulnerability allows an attacker to relay NTLM authentication sessions to an attacked machine, and use a printer spooler MSRPC interface to remotely execute code on the attacked machine.”
Such NTLM relay attacks can be considered a type of MitM (Man-in-the-Middle) attacks, that allows attackers, who have access to the network, to obstruct the genuine verified traffic that runs between the client and the server and later relays these verified and validated requests to access the services of the network.
If an attacker/hacker exploits this vulnerability quite efficiently then the attacker could also achieve remote code execution on the Windows machine and can also utilize the NTLM credentials which were transmitted to the sacrificed server in order to move around on the network and reach, for instance, server hosting domain controllers. However, such attacks could be prevented easily, at times, by enabling EPA (enhanced Protection for Authentication), or by signing SMB (Server Message Block) and LDAP (Lightweight Directory Access Protocol) but still, the CVE-2021-1678 exploits a vulnerability of MSRPC (i.e. Microsoft Remote Procedure Call) that makes the relay attack possible.
Researchers in detail found out that the IRemoteWinspool, which is an RPC design-build for the management of printer spooler remotely, may have been used to run a series of RPC functions and write hazardous files on the picked out machine utilizing an obstructed session of NTLM.
“The Windows update addresses this vulnerability by increasing the RPC authentication level and introducing a new policy and registry key to allow customers to disable or enable Enforcement mode on the server-side to increase the authentication level,” says Microsoft in a post. The organization in addition to installing the Windows update has asked everyone to enable the enforcement mode which will be switched on by default in the coming time.
If you like this article, follow us on Twitter, Facebook, Instagram, and Linkedin.