MitM attack in Microsoft Windows NTLM MIC and NTLMv2 implementations

Published: 2019-10-09 | Updated: 2019-10-09
Severity Medium
Patch available YES
Number of vulnerabilities 2
CVE ID CVE-2019-1166
CVE-2019-1338
CWE ID CWE-300
Exploitation vector Local network
Public exploit N/A
Vulnerable software Windows Subscribe
Windows Server
Vendor Microsoft

Security Advisory

1) Man-in-the-Middle (MitM) attack

Severity: Medium

CVSSv3: 5.3 [CVSS:3.0/AV:A/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N/E:U/RL:O/RC:C] [PCI]

CVE-ID: CVE-2019-1166

CWE-ID: CWE-300 - Channel Accessible by Non-Endpoint ('Man-in-the-Middle')

Description

The vulnerability allows a remote attacker to tamper with the NTLM exchange.

The vulnerability exists due to insufficient integrity check for NTLM packets. A remote attacker can modify flags of the NTLM packet without invalidating the signature and bypass the NTLM MIC (Message Integrity Check) protection.

Mitigation

Install updates from vendor's website.

Vulnerable software versions

Windows: 7, 8.1, 10, 10 1607, 10 1703, 10 1709, 10 1803, 10 1809, 10 1903, RT 8.1

Windows Server: 1803, 1903, 2008, 2008 R2, 2012, 2012 R2, 2016, 2019

CPE External links

https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-1166

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the local network (LAN).

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

2) Man-in-the-Middle (MitM) attack

Severity: Medium

CVSSv3: 5.3 [CVSS:3.0/AV:A/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N/E:U/RL:O/RC:C] [PCI]

CVE-ID: CVE-2019-1338

CWE-ID: CWE-300 - Channel Accessible by Non-Endpoint ('Man-in-the-Middle')

Description

The vulnerability allows a remote attacker to tamper with the NTLMv2 exchange.

The vulnerability exists due to insufficient integrity check for NTLMv2 packets, when the client is also sending LMv2 responses. A remote attacker with ability to modify NTLM traffic exchange can bypass the NTLMv2 protection and gain the ability to downgrade NTLM security features.

Mitigation

Install updates from vendor's website.

Vulnerable software versions

Windows: 7

Windows Server: 2008, 2008 R2

CPE External links

https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-1338

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the local network (LAN).

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.