Executive Summary
Summary | |
---|---|
Title | Credential Relaying Attacks on Integrated Windows Authentication |
Informations | |||
---|---|---|---|
Name | KB974926 | First vendor Publication | 2009-12-08 |
Vendor | Microsoft | Last vendor Modification | 1970-01-01 |
Severity (Vendor) | N/A | Revision | 1.0 |
Security-Database Scoring CVSS v3
Cvss vector : N/A | |||
---|---|---|---|
Overall CVSS Score | NA | ||
Base Score | NA | Environmental Score | NA |
impact SubScore | NA | Temporal Score | NA |
Exploitabality Sub Score | NA | ||
Calculate full CVSS 3.0 Vectors scores |
Security-Database Scoring CVSS v2
Cvss vector : | |||
---|---|---|---|
Cvss Base Score | Not Defined | Attack Range | Not Defined |
Cvss Impact Score | Not Defined | Attack Complexity | Not Defined |
Cvss Expoit Score | Not Defined | Authentication | Not Defined |
Calculate full CVSS 2.0 Vectors scores |
Detail
This advisory addresses the potential for attacks that affect the handling of credentials using Integrated Windows Authentication (IWA), and the mechanisms Microsoft has made available for customers to help protect against these attacks. In these attacks, an attacker who is able to obtain the user's authentication credentials while being transferred between a client and a server would be able to reflect these credentials back to a service running on the client, or forward them to another server on which the client has a valid account. This would allow the attacker to gain access to these resources, impersonating the client. Since IWA credentials are hashed, an attacker cannot use this to ascertain the actual username and password. Depending on the scenario and the use of additional attack vectors, an attacker may be able to obtain authentication credentials both inside and outside of the organizations security perimeter and utilize them to gain inappropriate access to resources. Microsoft is addressing the potential impact of these issues at different levels and wants to make customers aware of the tools that have been made available to address these issues, and the impact of using these tools. This advisory contains information on the different actions Microsoft has taken to improve protection of IWA authentication credentials, and how customers can deploy these safeguards. Mitigating Factors:
General InformationOverviewPurpose of Advisory: To clarify the actions that Microsoft is taking to extend protection of user credentials when using Integrated Windows Authentication (IWA). Advisory Status: Advisory published. Recommendation: Review the suggested actions and configure as appropriate.
This advisory discusses the following software.
*Windows 7 and Windows Server 2008 R2 provide Extended Protection for Authentication as a feature of the Security Support Provider Interface (SSPI). Applications running on these operating systems may still be exposed to credential relaying if either the operating system or the application is not configured to support this feature. Extended Protection for Authentication is not enabled by default. Frequently Asked QuestionsWhat is the scope of the advisory? What causes this threat? Forms of credential relaying referred to in this advisory are:
In order for these attacks to succeed, an attacker requires a user to connect to the attacker's server. This can be accomplished by attacks that involve the attacker being present on the local network, such as address resolution protocol (ARP) cache poisoning. The impact of these attacks increases when an attacker convinces a user to connect to a server outside of the organizational boundary. Specific scenarios that may allow this to occur are as follows:
Microsoft has released several updates to help address these scenarios and this advisory aims to summarize how customers can best assess risk and issues in their specific deployment scenario. What is Integrated Windows Authentication (IWA)? What is a man-in-the-middle attack? Which actions has Microsoft taken to address DNS spoofing attacks?
Which actions has Microsoft taken to address NBNS spoofing attacks? What is address resolution protocol (ARP) cache poisoning? What is Transport Layer Security (TLS)?
For more information, see the TechNet article, How TLS/SSL works. What versions of Windows are associated with this advisory? What actions has Microsoft taken to address credential reflection attacks? Prior to publication of this security advisory, Microsoft had released the following security updates to ensure Windows components and Microsoft applications properly opt in to this mechanism to provide protection against credential reflection attacks:
What actions has Microsoft taken to address credential forwarding attacks? In order to be protected, additional non-security updates need to be deployed to provide the same protection for specific client- and server components and applications. This feature applies changes to authentication on both the client and server end and should be deployed carefully. More information on Extended Protection for Authentication, and the non-security updates released to implement this mechanism, can be found in Microsoft Security Advisory 973811. How do these updates address credential forwarding attacks? The application-specific non-security updates modify individual system components that perform IWA authentication so that the components opt in to the protection mechanisms implemented by the layer 1 non-security update. More information on enabling Extended Protection for Authentication can be found in Microsoft Security Advisory 973811 and the corresponding Microsoft Knowledge Base Article 973811. Which actions has Microsoft taken to address DNS devolution? An attacker could host a system with a single-label name outside of an organization's boundary and due to DNS devolution may successfully get a Windows DNS client to connect to it as though it were inside the organizational boundary. For example, if the DNS suffix of an enterprise is corp.contoso.co.us and an attempt is made to resolve an unqualified hostname of "Single-Label", the DNS resolver will try Single-Label.corp.contoso.co.us. If that is not found, it will try, via DNS devolution, to resolve Single-label.contoso.co.us. If that is not found, it will try to resolve Single-label.co.us, which is outside of the contoso.co.us domain. This process is referred to as devolution. As one example, if this host name is WPAD, an attacker who sets up WPAD.co.us could provide a malicious Web Proxy Auto-Discovery file to configure the client proxy settings. Microsoft released Security Advisory 971888 and an associated update to provide organizations with more granular control over how Windows clients perform DNS devolution. This update allows an organization to prevent clients from devolving outside of the organizational boundary. What can third-party developers do to help address credential relaying? More information on how developers can opt into this mechanism can be found in the MSDN article, Integrated Windows Authentication with Extended Protection. What is a Service Principal Name (SPN)? Suggested Actions
WorkaroundsA number of workarounds exist to help protect systems against credential reflection or credential forwarding attacks. Microsoft has tested the following workarounds. Although these workarounds will not correct the underlying vulnerability, they help block known attack vectors. When a workaround reduces functionality, it is identified in the following section. Block TCP ports 139 and 445 at the firewallIn the case of credential reflection attacks, inbound connections using the relayed credentials are most likely over the SMB or RPC services. Blocking TCP ports 139 and 445 at the firewall will help protect systems that are behind that firewall from attempts to exploit this vulnerability. Microsoft recommends that you block all unsolicited inbound communication from the Internet to help prevent attacks that may use other ports. For more information about ports, see TCP and UDP Port Assignments. Impact of Workaround: Several Windows services use the affected ports. Blocking connectivity to the ports may cause various applications or services to not function. Some of the applications or services that could be impacted are listed below:
Enable SMB signingEnabling SMB signing prevents the attacker from executing code in the context of the logged-on user. SMB signing provides mutual and message authentication by placing a digital signature into each SMB, which is then verified by both the client and the server. Microsoft recommends using Group Policies to configure SMB signing. For detailed instructions on using Group Policy to enable and disable SMB signing for Microsoft Windows 2000, Windows XP, and Windows Server 2003, see Microsoft Knowledge Base Article 887429. The instructions in Microsoft Knowledge Base Article 887429 for Windows XP and Windows Server 2003 also apply to Windows Vista and Windows Server 2008. Impact of Workaround: Using SMB packet signing can degrade performance on file service transactions. Computers that have this policy set will not communicate with computers that do not have client-side packet signing enabled. For more information on SMB signing and potential impacts, see Microsoft network server: Digitally sign communications (always). |
Original Source
Url : http://www.microsoft.com/technet/security/advisory/974926.mspx |
Alert History
Date | Informations |
---|---|
2013-02-06 19:08:08 |
|