Recently, there is an massive vulnerability have been found in the Microsoft NTLM which it can result to RDP to the Microsoft NTLM Authentication Protocol,
The vulnerability that been found by Preempt researchers are as follows:
- Message Integrity Code (MIC) can be exploited by the attackers where they can remove the MIC Protection. As a result, they can modify any field in the NTLM protocol.
- SMB Session Signing can be exploited by the attacker where they can access as a privileged user to the server to relay the NTLM authentication requests to any server in the domain and network.
- Enhanced Protection for Authentication can be exploited by the attacker by modifying the NTLM message so that they can generate a legitimate channel of binding information to the server
- All system administrator need to do a patch to all workstation and server in order to protect themselves from NTLM vulnerabilities.
- All system administrator need to re-configure SMB Signing, LDAP/S Signing and EPA which needs to enforce, advisable to use the latest version of NTLM
- All system administrator is advisable to remove NTLM if there are not been used in the server.