windows 'Devastating' flaw found in Windows' authentication system

[Reefa]

Security researcher @dfirblog has discovered what he calls a devastating flaw in Windows' Kerberos authentication system.

 

The flaw cannot be fixed and the only solution is to introduce and use Microsoft's Credential Guard program to prevent passwords from being stored in memory, according to his extensive blog post.

 

The flaw results from how the third-party authentication system creates secret keys: by using the password associated with a disabled username (krbtgt). That password is rarely changed, making it possible to bypass the authentication system altogether and allow an attacker to grant themselves admin privileges, as well as create secret passwords for existing users and new users that don't exist.

 

Although some of the entry points are time-limited – the system will seek to validate accounts after 20 minutes – because it is possible to create fake users without limit, it is possible to access a system incessantly.

 

Kerberos is a default authentication protocol in Windows networks and authentication clients and servers. A flaw in the system noticed last year, for example, would enable an attacker to compromise an entire network, including installing programs and deleting data. This flaw appears to be very similar.

 

Kerberos, or Cerberus, is a mythical three-headed dog that guarded the underworld. He was outfoxed a few times, sometimes through brute strength, but Orpheus managed to lull the fearsome dog to sleep by playing his lyre before sneaking past.

Access all areas

Dfirblog notes that the secret keys are generated to avoid having to send passwords across the network to authenticate users and are derived from user passwords and stored in memory.

 

But the secret keys are not salted and use the NT LAN Manager (NTLM) hash of the user as a key, so are relatively easily retrieved. The krbtgt user is created when the system is first installed and is inactive, so it can remain untouched on a system for years – providing ready access to a hacker.

 

The post then goes into some detail about what can be done once into the system, including adding new users, producing secret second passwords for existing users, and downloading files on the systems to review later.

 

Dfirblog notes: "Mitigation of most of these attacks is not possible, as this is simply how Kerberos works in the Windows environment ... For the most part, you need to focus on protecting privileged accounts at all costs, because this is what attackers are after and protecting everyone is not possible. The most effective mitigation at the moment seems to be Protected Users group and Credential Guard."

 

We have asked Microsoft for comment on the post.

 

theregister.co.uk

[vibranium]

The sh*t just hit the fan!

[masterupc]

3 hours ago, vibranium said:

The sh*t just hit the fan!

 

More hit the fan... that's how is it.

[straycat19]

It might get fixed in 10-15 years or you can fix it today by dumping windows.

[Holmes]

THey can fix it if updating the system doesnt work make a whole new default protocol or rewrite the existing kerberos from scratch without the flaw.  You can fix this by deleting accounts you dont use if you dont want to delete the account change the password on the account periodically.  The most effective mitigation at the moment is protected user groups or using credential guard.  Cant changing the default password of the krbtgt user periodically help stop this to.

[VileTouch]

15 hours ago, vibranium said:

The sh*t just hit the fan!

la merde a frappe le ventilateur...pardon my fries.

[Stanners]

Just another MS moment