Microsoft issued a patch Tuesday for a serious privilege escalation vulnerability affecting all versions of Windows for enterprises released since 2007.
By exploiting it, an attacker who has compromised a single machine on a network can create a new administrator account for themselves and get control of the entire domain.
The vulnerability, assigned the serial number CVE-2017-8563, scores 7.5 on the Common Vulnerability Scoring System, meaning it is rated as “high” severity, the second highest after “critical.”
“The vulnerability is in the domain controller,” said Roman Blachman, CTO and co-founder of Preempt Security, whose researchers found the flaw in April and reported it to Microsoft.
In a video, Preempt researchers show how they can leverage it to exploit known weaknesses in some of the communications protocols included in Windows NT LAN Manager, or NTLM, and launch an attack technique known as credential relay.
The vulnerability, Preempt CEO Ajit Sancheti added, “can be exploited if the attacker has compromised a machine on the network and if an administrator account connects to it” using one of the vulnerable protocols like Lightweight Directory Access Protocol, LDAP, or Remote Desktop Protocol, RDP.
“Unfortunately, that is very common,” he said, noting that 60 percent of the company’s customers “have some kind of administrator account … for example for inventory management … that regularly pings every machine on the network.”
Because of the way NTLM works, the connection to the compromised machine creates a temporary passcode or hash. Easily available malware can replay that temporary credential to the domain controller, where it can be used to create a new administrator account controlled by the attacker.
“We are not stealing the password,” explained Sancheti. “We are extracting the privileges.”
In the remaining 40 percent of enterprises, Sancheti said, it would be “harder” to exploit the vulnerability. An attacker might have to wait until a help-desk technician or other privileged user connected to the compromised machine using RDP.
Preempt is a 30-strong new startup based in San Fransisco and Ramat Gan, Israel. Researchers at the company have focused on doing basic research on Active Directory and other Microsoft products, which is how they found the vulnerability, he said.
Microsoft has patched the LDAP vulnerability, but says the RDP one is a “known issue” best addressed through changes to network configuration.