MitM attack in Microsoft Windows NTLM MIC and NTLMv2 implementations

Published: 2019-10-09

Severity	Medium
Patch available	YES
Number of vulnerabilities	2
CVE ID	CVE-2019-1166 CVE-2019-1338
CWE ID	CWE-300
Exploitation vector	Local network
Public exploit	N/A
Vulnerable software Subscribe	Windows Operating systems & Components / Operating system Windows Server Operating systems & Components / Operating system
Vendor	Microsoft

Security Advisory

1) Man-in-the-Middle (MitM) attack

Severity: Medium

CVSSv3: 5.3 [CVSS:3.0/AV:A/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N/E:U/RL:O/RC:C] [PCI]

CVE-ID: CVE-2019-1166

CWE-ID: CWE-300 - Channel Accessible by Non-Endpoint ('Man-in-the-Middle')

Description

The vulnerability allows a remote attacker to tamper with the NTLM exchange.

The vulnerability exists due to insufficient integrity check for NTLM packets. A remote attacker can modify flags of the NTLM packet without invalidating the signature and bypass the NTLM MIC (Message Integrity Check) protection.

Mitigation

Install updates from vendor's website.

Vulnerable software versions

Windows: 7, 8.1, 10, 10 1607, 10 1703, 10 1709, 10 1803, 10 1809, 10 1903, RT 8.1

Windows Server: 1803, 1903, 2008, 2008 R2, 2012, 2012 R2, 2016, 2019

CPE

External links

https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-1166

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the local network (LAN).

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

2) Man-in-the-Middle (MitM) attack