[German]Windows Server 2008 through Windows Server 2012 R2 contain the CVE-2021-1 vulnerability (NTLM Security Feature Bypass Vulnerability), but Microsoft has since patched it. Now details about the vulnerability have been published.
NTLM Security Feature Bypass Vulnerability CVE-2021-1678
The vulnerability CVE-2021-1 (NTLM Security Feature Bypass Vulnerability) was announced by Microsoft on January 12, 2021. There is a vulnerability in the network stack that an attacker can abuse to bypass NTLM security features. However, Microsoft did not reveal too many details, only that the user must assist in an attack for it to be executed. The CVSS value was therefore only given as 3.0 4.3 / 3.8.
For Windows Server 2008 through Windows Server 2012 R2, there are security updates dated January 12, 2021, that should close this vulnerability. For Windows Server 2008/R2, note that these machines will only receive the security update if an ESU support extension is booked.
Vulnerability details disclosed
The Hacker News picks up on the above fact and reports here,that security researchers at Crowdstrike have disclosed more details about the vulnerability. To that end, Microsoft's patch was subjected to a reverse analysis. In their search for vulnerable RPC interfaces that do not require any form of package security, the security researchers found an interesting vulnerable interface: IRemoteWinspool, an RPC interface for remote management of printer spoolers.
The security researchers were looking for a way, via NTLM relay, to use an NTLM session from a sufficiently privileged user account to perform a sequence of RPC operations to achieve the desired effect. It appears that the security researchers have succeeded. They write: If the vulnerability is not patched, an attacker can attempt a remote code execution attack via an NTLM relay. The details can be found in the Crowdstrik Security Advisory: Security Advisory: MSRPC Printer Spooler Relay (CVE-2021-1678. So if you are running one of the mentioned servers, you should install the January 2021 security updates promptly.
Cookies helps to fund this blog: Cookie settings