Microsoft's widely used software for brokering network access has a critical design flaw, an Israeli security firm said, but Microsoft contends the issue has been long-known and defenses are in place.
Aorato used public information to craft a proof-of-concept attack that shows how an attacker can change a person's network password, potentially allowing access to other sensitive systems, said Tal Be'ery, its vice president of research.
[ It's time to rethink security. Two former CIOs show you how to rething your security strategy for today's world. Bonus: Available in PDF and e-book versions. | Stay up to date on the latest security developments with InfoWorld's Security Central newsletter. ]
"The dire consequences we are discussing -- that an attacker can change the password -- was definitely not known," said Be'ery in a phone interview Tuesday.
About 95 percent of Fortune 500 companies use Active Directory, making the problem "highly sensitive," Aorato wrote on its blog.
The company's research focuses on NTLM, an authentication protocol that Microsoft has been trying to phase out for years. All Windows versions older than Windows XP SP3 used NTLM as a default, and newer Windows versions are compatible with it in combination with its successor, Kerberos.
NTLM is vulnerable to a so-called "pass-the-hash" attack in which an attacker obtains the login credentials for a computer and can use the mathematical representation of those credentials -- called a hash -- to access other services or computers.
It's one of the most popular kinds of attacks since a computer that may not be valuable for the data it stores on its own could enable access to a more sensitive system. U.S.-based retailer Target fell victim to this kind of lateral movement that led to a data breach after hackers gained access to its network via a supplier.
The pass-the-hash attack is a long-known weakness around single sign-on systems (SSO), since the hash must be stored somewhere on a system for some amount of time. Other operating systems that accommodate SSO are also affected by the threat.
Disabling SSO would solve the problem, but it would also mean that users on a network would have to repeatedly enter their password in order to access other systems, which is inconvenient.
"It's a trade-off," Be'ery said.
Aorato contends that an attacker can snatch an NTLM hash using publicly available penetration testing tools such as WCE or Mimikatz. It built a proof-of-concept tool that shows how attackers can then change a user's password to an arbitrary one and access other services such as RDP (remote desktop protocol) or the Outlook web application.
Although some enterprises try to limit the use of the NTLM protocol in favor of Kerberos, an attacker can force a client to authenticate to Active Directory using a weaker encryption protocol, RC4-HMAC, that uses the NTLM hash. That NTLM hash is then accepted by Kerberos, which issues a fresh authentication ticket.
Microsoft implemented Kerberos in order to move away from some of NTLM's security issues, but Kerberos works with RC4-HMAC to allow for compatibility with older systems.
The company couldn't immediately be reached for comment, but it acknowledged weaknesses in NTLM in a 2012 technical paper.