RCE Vulnerabilities in NTLM Receive Patches

Delaware, USA – June 12, 2019 – Microsoft released monthly updates yesterday patching 88 vulnerabilities, 21 of which are critical. Among the patched vulnerabilities are CVE-2019-1040 and CVE-2019-1019 which affect Microsoft’s NTLM authentication protocol and their exploitation allow adversaries to bypass all major NTLM protection mechanisms on all Windows versions. Preempt researchers have published a report on these vulnerabilities and claim that vulnerabilities can help attackers to remotely execute code on any Windows system or authenticate to any HTTP server that supports Windows Integrated Authentication such as Exchange or ADFS. These vulnerabilities can also be exploited by attackers to move laterally across a corporate network. Researchers warn that to ensure security, you need not only install updates but also disable NTLM on all systems where it is not critical. They also recommend to enforce SMB and LDAP/S signing, block NTLMv1, and enforce EPA.

Microsoft Patch Tuesday also bring us updates for 4 zero-day vulnerabilities in Task Scheduler disclosed by SandboxEscaper who discovered and published exploits for them. Microsoft claims that in spite of the public availability of exploits, their use in real attacks was not detected. Among others, Microsoft patched three critical remote code execution vulnerabilities in Windows Hyper-V that allows adversaries to escape the virtual machine and run malware on the server. Windows systems need to be constantly monitored to detect malicious activity even by circumstantial evidence. You can use the Sysmon Framework rule pack to detect anomalies, suspicious events on Windows hosts, and gather SHA-256 hashes from every running executable: https://my.socprime.com/en/integrations/sysmon-framework-arcsight