Security Advisory

Microsoft Security Advisory 974926

Credential Relaying Attacks on Integrated Windows Authentication

Published: December 08, 2009

Version: 1.0

This advisory addresses the potential for attacks that affect the handling of credentials using Integrated Windows Authentication (IWA), and the mechanisms Microsoft has made available for customers to help protect against these attacks.

In these attacks, an attacker who is able to obtain the user's authentication credentials while being transferred between a client and a server would be able to reflect these credentials back to a service running on the client, or forward them to another server on which the client has a valid account. This would allow the attacker to gain access to these resources, impersonating the client. Since IWA credentials are hashed, an attacker cannot use this to ascertain the actual username and password.

Depending on the scenario and the use of additional attack vectors, an attacker may be able to obtain authentication credentials both inside and outside of the organization’s security perimeter and utilize them to gain inappropriate access to resources.

Microsoft is addressing the potential impact of these issues at different levels and wants to make customers aware of the tools that have been made available to address these issues, and the impact of using these tools. This advisory contains information on the different actions Microsoft has taken to improve protection of IWA authentication credentials, and how customers can deploy these safeguards.

Mitigating Factors:

  • In order to relay credentials, an attacker would need to successfully leverage another vulnerability to execute a man-in-the-middle attack, or to convince the victim, using social engineering, to connect to a server under the attacker's control, for instance by sending a link in a malicious e-mail message.
  • Internet Explorer does not automatically send credentials using HTTP to servers hosted in the Internet zone. This reduces the risk that credentials can be forwarded or reflected by an attacker within this zone.
  • Inbound traffic must be allowed to the client system for a reflection attack to succeed. The most common attack vector is SMB, as it allows IWA authentication. Hosts behind a firewall that blocks SMB traffic, or hosts that block SMB traffic on a host firewall are not vulnerable to the most common NTLM reflection attacks, which target SMB.

General Information

Overview

Purpose of Advisory: To clarify the actions that Microsoft is taking to extend protection of user credentials when using Integrated Windows Authentication (IWA).

Advisory Status: Advisory published.

Recommendation: Review the suggested actions and configure as appropriate.

References Identification
Microsoft Knowledge Base Article 974926

This advisory discusses the following software.

Affected Software
Windows XP Service Pack 2 and Windows XP Service Pack 3
Windows XP for x64-based Systems Service Pack 2
Windows Server 2003 Service Pack 2
Windows Server 2003 for x64-based Systems Service Pack 2
Windows Server 2003 for Itanium-based Systems Service Pack 2
Windows Vista, Windows Vista Service Pack 1, and Windows Vista Service Pack 2
Windows Vista x64 Edition, Windows Vista x64 Edition Service Pack 1, and Windows Vista x64 Edition Service Pack 2
Windows Server 2008 for 32-bit Systems and Windows Server 2008 for 32-bit Systems Service Pack 2
Windows Server 2008 for x64-based Systems and Windows Server 2008 for x64-based Systems Service Pack 2
Windows Server 2008 for Itanium-based Systems and Windows Server 2008 for Itanium-based Systems Service Pack 2
Windows 7 for 32-bit Systems*
Windows 7 for x64-based Systems*
Windows Server 2008 R2 for x64-based Systems*
Windows Server 2008 R2 for Itanium-based Systems*

*Windows 7 and Windows Server 2008 R2 provide Extended Protection for Authentication as a feature of the Security Support Provider Interface (SSPI). Applications running on these operating systems may still be exposed to credential relaying if either the operating system or the application is not configured to support this feature. Extended Protection for Authentication is not enabled by default.

Frequently Asked Questions

What is the scope of the advisory?
This security advisory provides a comprehensive view of the strategy that Microsoft applies to protect against credential relaying. It provides an overview of the updates currently available to address this issue comprehensively.

What causes this threat?
This advisory addresses the potential for authentication relaying. These attacks take place when an attacker succeeds in obtaining authentication credentials, for instance through a man-in-the-middle attack, or by convincing a user to click on a link. This link could cause the client to access an attacker-controlled service that requests the user to authenticate using IWA.

Forms of credential relaying referred to in this advisory are:

  • Credential forwarding: domain credentials that are obtained by an attacker can be used to log on to other services that the victim is known to have access to. The attacker could then acquire permissions identical to that of the victim on the target service.
  • Credential reflection: domain credentials that are obtained by an attacker can be used to log back on to the victim’s machine. The attacker would then acquire permissions on that machine identical to that of the victim.

In order for these attacks to succeed, an attacker requires a user to connect to the attacker's server. This can be accomplished by attacks that involve the attacker being present on the local network, such as address resolution protocol (ARP) cache poisoning.

The impact of these attacks increases when an attacker convinces a user to connect to a server outside of the organizational boundary. Specific scenarios that may allow this to occur are as follows:

  • DNS devolution, a Windows DNS client feature that allows Windows DNS clients to resolve DNS queries for single-label unqualified hostnames. A malicious user could register a specific host name outside of the organization’s boundary that, if clients are configured incorrectly, can be unintentionally contacted by a client when it devolves outside of the organizational boundary while attempting to access that host name.
  • DNS spoofing, where an attacker could exploit vulnerabilities in the Windows Domain Name System (DNS), allowing spoofing. These attacks could allow a remote attacker to redirect network traffic intended for systems on the Internet to the attacker’s system.
  • NetBIOS Name Service (NBNS) spoofing, where the user being enticed to run a specially crafted Active code applet (for instance Java or Flash) that would initiate a query for a local hostname, and subsequently introduces spoofed NBNS responses to the client with a remote IP address. Upon connecting to this hostname, the client would consider this a local machine and attempt IWA credentials, thereby exposing these to the remote attacker;

Microsoft has released several updates to help address these scenarios and this advisory aims to summarize how customers can best assess risk and issues in their specific deployment scenario.

What is Integrated Windows Authentication (IWA)?
With Integrated Windows Authentication (formerly called NTLM, and also known as Windows NT Challenge/Response Authentication), the user name and password (credentials) are hashed before being sent across the network. When you enable Integrated Windows Authentication, the client proves its knowledge of the password through a hashed cryptographic exchange with your Web server. Integrated Windows Authentication includes the Negotiate, Kerberos, and NTLM authentication methods.

What is a man-in-the-middle attack?
A man-in-the-middle attack occurs when an attacker reroutes communication between two users through the attacker’s computer without the knowledge of the two communicating users. The attacker can monitor and read the traffic before sending it on to the intended recipient. Each user in the communication unknowingly sends traffic to and receives traffic from the attacker, all the while thinking that they are communicating only with the intended party.

Which actions has Microsoft taken to address DNS spoofing attacks?
Microsoft has released the following security bulletins to address DNS spoofing attacks:

  • MS08-037 addresses two vulnerabilities that could allow an attacker to spoof DNS records and insert them into the DNS server cache.
  • MS09-008 addresses two vulnerabilities that could allow an attacker to spoof DNS records and insert them into the DNS server cache, and two vulnerabilities which could allow an attacker to maliciously register network infrastructure-related host names (WPAD and ISATAP) that could be used to accommodate further attacks.

Which actions has Microsoft taken to address NBNS spoofing attacks?
Microsoft has worked with the third-party vendors that are affected by this vulnerability and they have implemented mitigation against this attack vector. This issue was addressed in Adobe Flash Player in Adobe Security Bulletin APSB08-11 and in the Sun Java Runtime Environment in Sun Alert 103079.

What is address resolution protocol (ARP) cache poisoning?
ARP cache poisoning is an attack that consists of an attacker’s computer, present on the same subnet as the victim, sending spoofed or gratuitous ARP responses. These will usually attempt to confuse clients into believing that the attacker is the default gateway on the network, and result in the victim computer sending information to the attacker as opposed to the gateway. Such an attack may be leveraged to set up a man-in-the-middle attack.

What is Transport Layer Security (TLS)?
The Transport Layer Security (TLS) Handshake Protocol is responsible for the authentication and key exchange necessary to establish or resume secure sessions. When establishing a secure session, the Handshake Protocol manages the following:

  • Cipher suite negotiation
  • Authentication of the server and optionally, the client
  • Session key information exchange

For more information, see the TechNet article, How TLS/SSL works.

What versions of Windows are associated with this advisory?
Credential forwarding and reflection affects all platforms that have the ability to perform Integrated Windows Authentication. The Extended Protection for Authentication feature is included in Windows 7 and Windows Server 2008 R2, and was made available for Windows XP, Windows Server 2003, Windows Vista and Windows Server 2008 in a non-security update released as Microsoft Security Advisory 973811. In order to fully protect authentication credentials, specific applications on these operating systems still need to opt in to the mechanism. The Extended Protection feature is not available for the Microsoft Windows 2000 operating system.

What actions has Microsoft taken to address credential reflection attacks?
Applications are protected against credential reflection attacks if they properly utilize the Service Principal Name (SPN) when authenticating against a service.

Prior to publication of this security advisory, Microsoft had released the following security updates to ensure Windows components and Microsoft applications properly opt in to this mechanism to provide protection against credential reflection attacks:

  • Microsoft Security Bulletin MS08-068 addresses reflection of credentials when connecting to an attacker’s SMB server.
  • Microsoft Security Bulletin MS08-076 addresses reflection of credentials when connecting to an attacker’s Windows Media server.
  • Microsoft Security Bulletin MS09-013 addresses reflection of credentials when connecting to an attacker’s Web server using the WinHTTP Application Programming Interface.
  • Microsoft Security Bulletin MS09-014 addresses reflection of credentials when connecting to an attacker’s Web server using the WinINET Application Programming Interface.
  • Microsoft Security Bulletin MS09-042 addresses reflection of credentials when connecting to an attacker’s telnet server.

What actions has Microsoft taken to address credential forwarding attacks?
Some protection against credential forwarding is provided by the Windows Security Support Provider Interface (SSPI). This interface is implemented in Windows 7 and Windows Server 2008 R2, and has been made available as a non-security update for Windows XP, Windows Server 2003, Windows Vista and Windows Server 2008.

In order to be protected, additional non-security updates need to be deployed to provide the same protection for specific client- and server components and applications. This feature applies changes to authentication on both the client and server end and should be deployed carefully. More information on Extended Protection for Authentication, and the non-security updates released to implement this mechanism, can be found in Microsoft Security Advisory 973811.

How do these updates address credential forwarding attacks?
The SSPI non-security update Microsoft Security Advisory 973811 modifies the SSPI in order to extend the current Integrated Windows Authentication (IWA) mechanism so that authentication requests can be bound to both the SPN of the server that the client attempts to connect to, as well as to the outer Transport Layer Security (TLS) channel over which the IWA authentication takes place, if such channel exists. This is a base update that does not address a security vulnerability in itself, but deploys this as an optional feature that application vendors can choose to configure.

The application-specific non-security updates modify individual system components that perform IWA authentication so that the components opt in to the protection mechanisms implemented by the layer 1 non-security update. More information on enabling Extended Protection for Authentication can be found in Microsoft Security Advisory 973811 and the corresponding Microsoft Knowledge Base Article 973811.

Which actions has Microsoft taken to address DNS devolution?
DNS devolution can be used as an attack vector to exploit this vulnerability outside of a corporate network. Devolution is a Windows DNS client feature by which Windows DNS clients resolve DNS queries for single-label unqualified hostnames. Queries are constructed by appending the Primary DNS suffix (PDS) to the hostname. The query is retried by systematically removing the left-most label in the PDS until the hostname and remaining PDS resolves, or only two labels remain in the stripped PDS. For example, Windows clients looking for "Single-label" in the western.corp.contoso.co.us domain will progressively query Single-label.western.corp.contoso.co.us, Single-label.corp.contoso.co.us, Single-label.contoso.co.us, and then Single-label.co.us until it finds a system that resolves. This process is referred to as devolution.

An attacker could host a system with a single-label name outside of an organization's boundary and due to DNS devolution may successfully get a Windows DNS client to connect to it as though it were inside the organizational boundary. For example, if the DNS suffix of an enterprise is corp.contoso.co.us and an attempt is made to resolve an unqualified hostname of "Single-Label", the DNS resolver will try Single-Label.corp.contoso.co.us. If that is not found, it will try, via DNS devolution, to resolve Single-label.contoso.co.us. If that is not found, it will try to resolve Single-label.co.us, which is outside of the contoso.co.us domain. This process is referred to as devolution.

As one example, if this host name is WPAD, an attacker who sets up WPAD.co.us could provide a malicious Web Proxy Auto-Discovery file to configure the client proxy settings.

Microsoft released Security Advisory 971888 and an associated update to provide organizations with more granular control over how Windows clients perform DNS devolution. This update allows an organization to prevent clients from devolving outside of the organizational boundary.

What can third-party developers do to help address credential relaying?
Third-party developers should consider implementing Extended Protection for Authentication by opting in to this new protection mechanism described in Microsoft Security Advisory 973811.

More information on how developers can opt into this mechanism can be found in the MSDN article, Integrated Windows Authentication with Extended Protection.

What is a Service Principal Name (SPN)?
A Service Principal Name (SPN) is the name by which a client uniquely identifies an instance of a service. If you install multiple instances of a service on computers throughout a network, each instance must have its own SPN. A given service instance can have multiple SPNs if there are multiple names that clients might use for authentication. For example, an SPN always includes the name of the host computer on which the service instance is running, so a service instance might register an SPN for each name or alias of its host.

Suggested Actions

  • Review Microsoft Security Advisory 973811Extended Protection for Authentication, and implement the associated updates
    This security advisory announces the release of non-security updates that implement Extended Protection for Authentication. This feature helps protect authentication attempts against relaying attacks.
  • Review Microsoft Security Advisory 971888Update for DNS Devolution
    This security advisory announces the release of an optional non-security update that allows system administrators to configure DNS devolution with greater specificity.
  • Review the Microsoft Knowledge Base Article that is associated with this advisory
    Customers who are interested in learning more about this security advisory should review Microsoft Knowledge Base Article 974926.
  • Protect Your PC
    We continue to encourage customers to follow our Protect Your Computer guidance of enabling a firewall, getting software updates and installing antivirus software. Customers can learn more about these steps by visiting Protect Your Computer.
  • For more information about staying safe on the Internet, customers should visit Microsoft Security Central.
  • Keep Windows Updated
    All Windows users should apply the latest Microsoft security updates to help make sure that their computers are as protected as possible. If you are not sure whether your software is up to date, visit Windows Update, scan your computer for available updates, and install any high-priority updates that are offered to you. If you have Automatic Updates enabled, the updates are delivered to you when they are released, but you have to make sure you install them.

Workarounds

A number of workarounds exist to help protect systems against credential reflection or credential forwarding attacks. Microsoft has tested the following workarounds. Although these workarounds will not correct the underlying vulnerability, they help block known attack vectors. When a workaround reduces functionality, it is identified in the following section.

Block TCP ports 139 and 445 at the firewall

In the case of credential reflection attacks, inbound connections using the relayed credentials are most likely over the SMB or RPC services. Blocking TCP ports 139 and 445 at the firewall will help protect systems that are behind that firewall from attempts to exploit this vulnerability. Microsoft recommends that you block all unsolicited inbound communication from the Internet to help prevent attacks that may use other ports. For more information about ports, see TCP and UDP Port Assignments.

Impact of Workaround: Several Windows services use the affected ports. Blocking connectivity to the ports may cause various applications or services to not function. Some of the applications or services that could be impacted are listed below:

  • Applications that use SMB (CIFS)
  • Applications that use mailslots or named pipes (RPC over SMB)
  • Server (File and Print Sharing)
  • Group Policy
  • Net Logon
  • Distributed File System (DFS)
  • Terminal Server Licensing
  • Print Spooler
  • Computer Browser
  • Remote Procedure Call Locator
  • Fax Service
  • Indexing Service
  • Performance Logs and Alerts
  • Systems Management Server
  • License Logging Service

Enable SMB signing

Enabling SMB signing prevents the attacker from executing code in the context of the logged-on user. SMB signing provides mutual and message authentication by placing a digital signature into each SMB, which is then verified by both the client and the server. Microsoft recommends using Group Policies to configure SMB signing.

For detailed instructions on using Group Policy to enable and disable SMB signing for Microsoft Windows 2000, Windows XP, and Windows Server 2003, see Microsoft Knowledge Base Article 887429. The instructions in Microsoft Knowledge Base Article 887429 for Windows XP and Windows Server 2003 also apply to Windows Vista and Windows Server 2008.

Impact of Workaround: Using SMB packet signing can degrade performance on file service transactions. Computers that have this policy set will not communicate with computers that do not have client-side packet signing enabled. For more information on SMB signing and potential impacts, see Microsoft network server: Digitally sign communications (always).

Other Information

Resources:

Disclaimer:

The information provided in this advisory is provided "as is" without warranty of any kind. Microsoft disclaims all warranties, either express or implied, including the warranties of merchantability and fitness for a particular purpose. In no event shall Microsoft Corporation or its suppliers be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages, even if Microsoft Corporation or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply.

Revisions:

  • V1.0 (December 8, 2009): Advisory published.

Built at 2014-04-18T13:49:36Z-07:00