MitM attack in Microsoft Windows NTLM MIC and NTLMv2 implementations



Risk Medium
Patch available YES
Number of vulnerabilities 2
CVE-ID CVE-2019-1166
CVE-2019-1338
CWE-ID CWE-300
Exploitation vector Local network
Public exploit N/A
Vulnerable software
Windows
Operating systems & Components / Operating system

Windows Server
Operating systems & Components / Operating system

Vendor Microsoft

Security Bulletin

This security bulletin contains information about 2 vulnerabilities.

1) Man-in-the-Middle (MitM) attack

EUVDB-ID: #VU21684

Risk: Medium

CVSSv4.0: 1.3 [CVSS:4.0/AV:A/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Green]

CVE-ID: CVE-2019-1166

CWE-ID: CWE-300 - Channel Accessible by Non-Endpoint ('Man-in-the-Middle')

Exploit availability: No

Description

The vulnerability allows a remote attacker to tamper with the NTLM exchange.

The vulnerability exists due to insufficient integrity check for NTLM packets. A remote attacker can modify flags of the NTLM packet without invalidating the signature and bypass the NTLM MIC (Message Integrity Check) protection.

Mitigation

Install updates from vendor's website.

Vulnerable software versions

Windows: 7 - 10 1903 10.0.18362.116

Windows Server: 2008 - 2019 1903

CPE2.3 External links

https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-1166


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the local network (LAN).

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

2) Man-in-the-Middle (MitM) attack

EUVDB-ID: #VU21685

Risk: Medium

CVSSv4.0: 1.3 [CVSS:4.0/AV:A/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Green]

CVE-ID: CVE-2019-1338

CWE-ID: CWE-300 - Channel Accessible by Non-Endpoint ('Man-in-the-Middle')

Exploit availability: No

Description

The vulnerability allows a remote attacker to tamper with the NTLMv2 exchange.

The vulnerability exists due to insufficient integrity check for NTLMv2 packets, when the client is also sending LMv2 responses. A remote attacker with ability to modify NTLM traffic exchange can bypass the NTLMv2 protection and gain the ability to downgrade NTLM security features.

Mitigation

Install updates from vendor's website.

Vulnerable software versions

Windows: 7

Windows Server: 2008 - 2008 R2

CPE2.3 External links

https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-1338


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the local network (LAN).

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.



###SIDEBAR###