NThere are newly available details about the new exploitable Windows vulnerability that was addressed by Microsoft on its monthly Patch Tuesday updates. The founded exploitable windows vulnerability has made a security gap inside the suite of Microsoft security protocols. Protocols that users know as NTLM (New Technology LAN Manager) are structured to provide authentication, integrity, and confidentiality to users.
Get to know CVE-2021-1678
The vulnerability is classified by the following code: “CVE-2021-1678” and its CVSS score is 4.3. If you don’t know what CVSS is, it stands for The “Common Vulnerability Scoring System”. Earning 4.3 CVSS scores, demonstrate the average severity of this new vulnerability. Vulnerabilities with The average severity, cannot cause huge damage. But, as a substantial fraction of the world population is using “Windows”, so this exploitable windows vulnerability can turn them into a potential target for hackers.
We have only known that CVE-2021-1678 is a new exploitable windows vulnerability that lets attackers bind a vulnerable component to the network stack. If you just lest this vulnerability unpatched, attackers can use it to achieve remote code execution via an NTLM relay.
As the researchers have stated in a Friday advisory:
“This vulnerability allows an attacker to relay NTLM authentication sessions to an attacked machine, and use a printer spooler MSRPC interface to remotely execute code on the attacked machine.”
Bypassing NTLM let hackers plan for a man in the middle attack. During man in the middle attack, the vulnerability allows attackers with entrance to a network to prevent authorized authentication traffic between a client and a server. Eventually, the attackers would access the network by the mean of these validated authentication requests.
The probable complications of CVE-2021-1678
If attackers exploits this vulnerability successfully, they can run malicious code on a Windows machine remotely. They can also shift laterally on the network to critical systems by the mean of this exploitable windows vulnerability. Servers that host domain controllers are also other targets of attackers that can be exploited. New technology LAN Manager Credentials should be utilized by attackers to let them move laterally on the network.
What Microsoft stated about this vulnerability, has been fixed by increasing the RPC authentication level and introducing a new policy and registry key to allow customers to disable or enable Enforcement mode on the server-side to increase the authentication level.
If you own a business, it is better to take an emergency step until the windows get updated on June 8, 2021. In order to take an emergency step, you need to install the January 12 Windows update. Then, you would only need to turn on the Enforcement mode on the print server.
How the enforcement-mode can protect your system against new exploitable Windows vulnerability
By turning on the enforcement-mode, you can enhance the security of your messages by the mean of WS-Policy. For example, if a policy requires a response to be encrypted, the filter rejects the response and triggers error handling if the output is not encrypted, but enforce encrypts the outgoing.