Man
Professional
- Messages
- 3,079
- Reaction score
- 615
- Points
- 113
How a backup protocol has become a major security threat.
Akamai has discovered a vulnerability in the MS-RPC client that could allow an NTLM Relay attack. RPC is an important element of Windows, supporting a variety of services. Despite the security measures in place, some components remain vulnerable to attack.
The issue of privilege escalation CVE-2024-43532 (CVSS score: 8.8) is related to the use of legacy transport protocols in the WinReg client backup switchover mechanism. If the SMB protocol becomes unavailable, the system switches to insecure transport protocols, which allows attackers to perform an NTLM Relay attack using authentication relay.
Exploitation of the bug allows the client's NTLM authentication data to be intercepted and redirected to Active Directory Certificate Services (ADCS), which allows hackers to request a user certificate for further authentication in the domain. As a result, new domain-level privileged accounts can be created, allowing for long-term control over the system.
The vulnerability affects all versions of Windows without a corresponding update. Microsoft fixed the problem in October 2024 as part of Patch Tuesday, following a responsible disclosure of the vulnerability by researchers in February 2024.
The issue is related to the BaseBindToMachine function in advapi32.dll. In some cases, the feature uses an insecure RPC_C_AUTHN_LEVEL_CONNECT authentication level, which allows attackers to perform a Machine-in-the-Middle attack. If the primary SMB transport is unavailable, the client switches to TCP/IP and other protocols, which opens the door for data interception and attack.
Attackers can use tools such as ntlmrelayx to intercept and transmit authentication data. In particular, the vulnerability allows users to interact with ADCS, request certificates, and use them for subsequent authentication in the domain.
As a security measure, we recommend that you install the Microsoft October Update immediately and audit your network usage of Remote Registry. To identify vulnerable clients, you can use YARA rules that track calls to RegConnectRegistry functions from advapi32.dll.
In addition, experts advise disabling the Remote Registry service if it is not in use, and setting up segmentation rules for traffic entering this service. Monitoring RPC traffic with Event Tracing for Windows (ETW) can also help identify suspicious activity and prevent attacks.
Source
Akamai has discovered a vulnerability in the MS-RPC client that could allow an NTLM Relay attack. RPC is an important element of Windows, supporting a variety of services. Despite the security measures in place, some components remain vulnerable to attack.
The issue of privilege escalation CVE-2024-43532 (CVSS score: 8.8) is related to the use of legacy transport protocols in the WinReg client backup switchover mechanism. If the SMB protocol becomes unavailable, the system switches to insecure transport protocols, which allows attackers to perform an NTLM Relay attack using authentication relay.
Exploitation of the bug allows the client's NTLM authentication data to be intercepted and redirected to Active Directory Certificate Services (ADCS), which allows hackers to request a user certificate for further authentication in the domain. As a result, new domain-level privileged accounts can be created, allowing for long-term control over the system.
The vulnerability affects all versions of Windows without a corresponding update. Microsoft fixed the problem in October 2024 as part of Patch Tuesday, following a responsible disclosure of the vulnerability by researchers in February 2024.
The issue is related to the BaseBindToMachine function in advapi32.dll. In some cases, the feature uses an insecure RPC_C_AUTHN_LEVEL_CONNECT authentication level, which allows attackers to perform a Machine-in-the-Middle attack. If the primary SMB transport is unavailable, the client switches to TCP/IP and other protocols, which opens the door for data interception and attack.
Attackers can use tools such as ntlmrelayx to intercept and transmit authentication data. In particular, the vulnerability allows users to interact with ADCS, request certificates, and use them for subsequent authentication in the domain.
As a security measure, we recommend that you install the Microsoft October Update immediately and audit your network usage of Remote Registry. To identify vulnerable clients, you can use YARA rules that track calls to RegConnectRegistry functions from advapi32.dll.
In addition, experts advise disabling the Remote Registry service if it is not in use, and setting up segmentation rules for traffic entering this service. Monitoring RPC traffic with Event Tracing for Windows (ETW) can also help identify suspicious activity and prevent attacks.
Source
