Active Directory Open to More NTLM Attacks: Drop The MIC 2 (CVE 2019-1166) & Exploiting LMv2 Clients (CVE-2019-1338)
CVE 2019-1166: This vulnerability allows attackers to bypass the MIC (Message Integrity Code) protection on NTLM authentication and thereby modify any field in the NTLM message flow, including the signing requirement. This bypass allows attackers to relay authentication attempts which have successfully negotiated signing to another server, while tricking the server to entirely ignore the signing requirement. All servers that do not enforce signing are vulnerable to this attack. This is the second MIC bypass vulnerability found by the Preempt team; the first one can be found here.
CVE 2019-1338: This vulnerability allows attackers to bypass the MIC protection, along with other NTLM relay mitigations such as Enhanced Protection for Authentication (EPA) and target SPN validation for certain old NTLM clients that are sending LMv2 challenge responses. This attack allows attackers to use NTLM relay to successfully authenticate to critical servers such as OWA and ADFS and steal valuable user data.
