Critical Active Directory Design Flaw Could Compromise User Passwords
Microsoft is downplaying the disclosure and has offered multiple ways IT can avoid attack.
A recently disclosed flaw in Active Directory could allow an attacker to bypass security measures in a system to change users' passwords.
In a detailed report by Israeli-based security firm Aorato on Tuesday, the flaw is considered severe by the firm due to the widespread enterprise use of Active Directory, including in 95 percent of all Fortune 1000 companies.
The issue stems from Active Directory enabling the authentication protocol called NTLM. While Microsoft has moved away from the protocol in recent years in favor of the Kerberos security packet, AD still enables the older protocol by default.
"Since this authentication component is known to be a security hazard which leads to identity theft attacks, through the notorious Pass-the-Hash (PtH) attack, protections have been placed to prevent its misuse," wrote Tal Be'ery, vice president of research for Aorato, in a blog post. "For example, many enterprises try to limit the use Active Directory's older -- yet still enabled by default -- authentication protocol (i.e. NTLM)."
Be'ery continued by saying that attackers could force a targeted system's AD to authenticate their NTLM hash and issue valid RC4-HMAC-MD5-encrypted Kerberos tokens, which could be used to access restricted services of a system, including access to user identity (including password management). This could be accomplished by using one of many readily available free penetration tools like WCE or Mimkatz.
According to the firm, Microsoft has been alerted to the issue, but responded by declaring the issue to be a "limited" design flaw that cannot be fixed and is already a well-known issue.
"This is a well-known industry limitation in the Kerberos Network Authentication Service standard," the company said in a released statement. "Information on how to manage this limitation when using Windows can be found on the Microsoft TechNet site."
In the TechNet article, which was published online days before Aorato released its threat assessment, Microsoft outlined three different ways to avoid attack:
- Configure user accounts to require smart card login for interaction, limiting an account to only be accessed by the valid smart card user.
- Disable RC4 support for Kerberos on all domains.
- Deploy domains in Windows Server 2012 R2 and designate authorized users be included in the Protected Users security group.
Many security experts agree with Microsoft over the severity of the issue. "It does not seem to be as serious as pictured since the conditions where an actual attack can happen are very complex," said Ehsan Foroughi, director of research at Security Compass, to Computerworld.
In what looks to be purely coincidental, The New York Times reported on Wednesday that Microsoft is currently in active negations to buy Aorato for an estimated $200 million. The security firm specializes in software used to monitor enterprise central communication components.