Cybersecurity researchers have discovered that the Microsoft Energetic Listing Group Coverage that is designed to disable NT LAN Supervisor (NTLM) v1 may be trivially bypassed by a misconfiguration.
“A easy misconfiguration in on-premise purposes can override the Group Coverage, successfully negating the Group Coverage designed to cease NTLMv1 authentications,” Silverfort researcher Dor Segal mentioned in a report shared with The Hacker Information.
NTLM is a nonetheless broadly used mechanism significantly in Home windows environments to authenticate customers throughout a community. The legacy protocol, whereas not eliminated as a result of backward compatibility necessities, has been deprecated as of mid 2024.
Late final 12 months, Microsoft formally eliminated NTLMv1 beginning in Home windows 11, model 24H2, and Home windows Server 2025. Whereas NTLMv2 introduces new mitigations to make it tougher to carry out relay assaults, the expertise has been besieged by a number of safety weaknesses which have been actively exploited by menace actors to entry delicate knowledge.
In exploiting these flaws, the concept is to coerce a sufferer to authenticate to an arbitrary endpoint, or relay the authentication data in opposition to a inclined goal and carry out malicious actions on behalf of the sufferer.
“The Group Coverage mechanism is Microsoft’s resolution to disable NTLMv1 throughout the community,” Segal defined. “The LMCompatibilityLevel registry key prevents the Area Controllers from evaluating NTLMv1 messages and returns a unsuitable password error (0xC000006A) when authenticating with NTLMv1.”
Nonetheless, Silverfort’s investigation discovered that it is potential to bypass the Group Coverage and nonetheless use NTLMv1 authentication by profiting from a setting within the Netlogon Distant Protocol (MS-NRPC).
Particularly, it leverages a knowledge construction referred to as NETLOGON_LOGON_IDENTITY_INFO, which accommodates a area named ParameterControl that, in flip, has a configuration to “Enable NTLMv1 authentication (MS-NLMP) when solely NTLMv2 (NTLM) is allowed.”
“This analysis exhibits on-prem purposes may be configured to allow NTLMv1, negating the Highest Degree of the Group Coverage LAN Supervisor authentication degree set in Energetic Listing,” Segal mentioned.
“Which means, organizations assume they’re doing the appropriate factor by setting this group coverage, but it surely’s nonetheless being bypassed by the misconfigured software.”
To mitigate the danger posed by NTLMv1, it is important to allow audit logs for all NTLM authentication within the area and preserve an eye fixed out for susceptible purposes that request shoppers to make use of NTLMv1 messages. It additionally goes with out saying that organizations are advisable to maintain their methods up-to-date.
The newest findings observe a report from safety researcher Haifei Li a few “zero-day habits” in PDF artifacts uncovered within the wild that might leak native net-NTLM data when they’re opened with Adobe Reader or Foxit PDF Reader beneath sure situations. Foxit Software program has addressed the problem with model 2024.4 for Home windows.
The disclosure additionally comes as HN Safety researcher Alessandro Iandoli detailed how numerous security measures in Home windows 11 (previous to model 24H2) may very well be bypassed to attain arbitrary code execution on the kernel degree.