Windows NTLM Tampering Vulnerability (CVE-2019-1040) Threat Alert

Windows NTLM Tampering Vulnerability (CVE-2019-1040) Threat Alert

June 17, 2019 | Mina Hao

1 Vulnerability Overview

On June 12, 2019, Beijing time, Microsoft released security patches for the Windows NTLM tampering vulnerability (CVE-2019-1040), which exists in Windows operating systems and allows attackers to bypass the NTLM MIC (Message Integrity Check) protection.

NTLM Relay is an attack technique used in domain environments. To counter this type of attacks, Windows employs a signing mechanism. To ensure that NTLM messages are not tampered with by attackers in the negotiation phase, Windows appends a field, that is, MIC, in the NTLM authentication message. However, the said vulnerability could render this field useless, thus allowing attackers to bypass the MIC protection.

Reference:

https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-1040

2 Scope of Impact

  • Affected Versions
  • Windows 10 for 32-bit Systems
  • Windows 10 for x64-based Systems
  • Windows 10 Version 1607 for 32-bit Systems
  • Windows 10 Version 1607 for x64-based Systems
  • Windows 10 Version 1703 for 32-bit Systems
  • Windows 10 Version 1703 for x64-based Systems
  • Windows 10 Version 1709 for 32-bit Systems
  • Windows 10 Version 1709 for ARM64-based Systems
  • Windows 10 Version 1709 for x64-based Systems
  • Windows 10 Version 1803 for 32-bit Systems
  • Windows 10 Version 1803 for ARM64-based Systems
  • Windows 10 Version 1803 for x64-based Systems
  • Windows 10 Version 1809 for 32-bit Systems
  • Windows 10 Version 1809 for ARM64-based Systems
  • Windows 10 Version 1809 for x64-based Systems
  • Windows 10 Version 1903 for 32-bit Systems
  • Windows 10 Version 1903 for ARM64-based Systems
  • Windows 10 Version 1903 for x64-based Systems
  • Windows 7 for 32-bit Systems Service Pack 1
  • Windows 7 for x64-based Systems Service Pack 1
  • Windows 8.1 for 32-bit systems
  • Windows 8.1 for x64-based systems
  • Windows RT 8.1
  • Windows Server 2008 for 32-bit Systems Service Pack 2
  • Windows Server 2008 for 32-bit Systems Service Pack 2 (Server Core installation)
  • Windows Server 2008 for Itanium-Based Systems Service Pack 2
  • Windows Server 2008 for x64-based Systems Service Pack 2
  • Windows Server 2008 for x64-based Systems Service Pack 2 (Server Core installation)
  • Windows Server 2008 R2 for Itanium-Based Systems Service Pack 1
  • Windows Server 2008 R2 for x64-based Systems Service Pack 1
  • Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation)
  • Windows Server 2012
  • Windows Server 2012 (Server Core installation)
  • Windows Server 2012 R2
  • Windows Server 2012 R2 (Server Core installation)
  • Windows Server 2016
  • Windows Server 2016 (Server Core installation)
  • Windows Server 2019
  • Windows Server 2019 (Server Core installation)
  • Windows Server, version 1803 (Server Core Installation)
  • Windows Server, version 1903 (Server Core installation)

3 Detection Method

All systems that are within the affected scope and not installed with the latest patches are vulnerable. Users can check whether the current system has been patched and determine whether it is vulnerable accordingly. The procedure is as follows:

  • Step 1 Press Win + R, type control in the Run window, and press Enter.

  • Step 2 In the Control Panel window, click Programs.

  • Step 3 Click View installed updates under Programs and Features.

  • Step 4 In the text box in the upper-right corner, type the KB number. If no program is displayed, the current system is vulnerable. For a detailed list of KB numbers for different operating system versions, see appendix A Official Patch Download Links.

—-End

4 Vulnerability Protection

4.1 Official Patches

Microsoft has released security updates to fix this vulnerability. Users are advised to download and install them as soon as possible. There are three methods to obtain and install patches: intranet WSUS, Microsoft Update service available on Microsoft’s official website, and offline installation.

Note: To immediately start Windows Update, users can type wuauclt.exe /detectnow at the command line prompt.

  • Intranet WSUS

Applicability: This method is applicable to computers that are in the Active Directory domain where the WSUS server is available, or computers that have access to the intranet WSUS service.

The system automatically downloads new security patches in a regular manner and prompts users to install them. What users need to do is install these patches as prompted.

To make a patch take effect immediately, users can restart their computers as soon as the installation is complete.

  • Microsoft Update Service Available on Microsoft’s Official Website

Applicability: This method is applicable to computers that can connect to the Internet, but have no access to the intranet WSUS service, including those with the intranet WSUS service disabled and those that have this service enabled, but have no access to the intranet.

If the intranet WSUS service is not enabled on computers, users should first enable it and then install patches and restart the computer as prompted.

If computers have the intranet WSUS service enabled, but do not connect to the intranet, users should do as follows: Choose Start > All Programs > Windows Update, click Check online for updates from Microsoft Update, and then do as prompted.

  • Offline Installation

With this method, users need to first download the latest patch for the current system, and then double-click the installation package to install it. For download links, see appendix A Official Patch Download Links.

  • Official Patch Download Links
OS Version Patch Download Link Patch Number
Windows 10 x86 http://download.windowsupdate.com/c/msdownload/update/software/secu/2019/06/windows10.0-kb4503291-x86_8d119231762adfe09926346f1f141b22c3954422.msu KB4503291
Windows 10 x64 http://download.windowsupdate.com/c/msdownload/update/software/secu/2019/06/windows10.0-kb4503291-x64_d93add874181eaa61e6ad77ee37922ba61987929.msu KB4503291
Windows 10 Version 1607 x32 http://download.windowsupdate.com/c/msdownload/update/software/secu/2019/06/windows10.0-kb4503267-x86_f19fbfaf4b8abc167327e26c39cd4d3aa2c573ed.msu KB4503267
Windows 10 Version 1607 x64 http://download.windowsupdate.com/c/msdownload/update/software/secu/2019/06/windows10.0-kb4503267-x64_51ff317097c854ffc5d9ee5badab6fcf7462d324.msu KB4503267
Windows 10 Version 1703 for 32-bit Systems http://download.windowsupdate.com/c/msdownload/update/software/secu/2019/06/windows10.0-kb4503279-x86_f97c4659d527c01dac9eee8d33b0c0d17421f244.msu KB4503279
Windows 10 Version 1703 for 64-bit Systems http://download.windowsupdate.com/d/msdownload/update/software/secu/2019/06/windows10.0-kb4503279-x64_f943add8c72a58a53fd3c4ed8b8cccbc5978258a.msu KB4503279
Windows 10 Version 1709 for 32-bit Systems http://download.windowsupdate.com/c/msdownload/update/software/secu/2019/06/windows10.0-kb4503284-x86_d5ddd7ae23568470f7e0124a3c50c0045ef8c81d.msu KB4503284
Windows 10 Version 1709 for 64-based Systems http://download.windowsupdate.com/c/msdownload/update/software/secu/2019/06/windows10.0-kb4503284-x64_a2a689c0683e881c70f6ffbe3840b73a651fbd06.msu KB4503284
Windows 10 Version 1709 for ARM64-based Systems http://download.windowsupdate.com/c/msdownload/update/software/secu/2019/06/windows10.0-kb4503284-arm64_7f3df7c6e9e7e433b411ed506dfb036342821fc4.msu KB4503284
Windows 10 Version 1803 for 32-bit Systems http://download.windowsupdate.com/d/msdownload/update/software/secu/2019/06/windows10.0-kb4503286-x86_49c769a0e8c1721da95cb00805c15a8acb45e7ce.msu KB4503286
Windows 10 Version 1803 for ARM64-based Systems http://download.windowsupdate.com/c/msdownload/update/software/secu/2019/06/windows10.0-kb4503286-arm64_af3c37687fc62855ed93c499c9e50b46a0033a94.msu KB4503286
Windows 10 Version 1803 for x64-based Systems http://download.windowsupdate.com/d/msdownload/update/software/secu/2019/06/windows10.0-kb4503286-x64_9799650b3b8f356486a748619070306997833d17.msu KB4503286
Windows 10 Version 1809 for 32-bit Systems http://download.windowsupdate.com/c/msdownload/update/software/secu/2019/06/windows10.0-kb4503327-x86_e7b4e93a5bb54eef9cb80de5cb9a1087a9753cd0.msu KB4503327
Windows 10 Version 1809 for ARM64-based Systems http://download.windowsupdate.com/c/msdownload/update/software/secu/2019/06/windows10.0-kb4503327-arm64_9cc6e7b5060de49b29b388f2c8d81e529bc06565.msu KB4503327
Windows 10 Version 1809 for x64-based Systems http://download.windowsupdate.com/c/msdownload/update/software/secu/2019/06/windows10.0-kb4503327-x64_7bd62b3999caa3fd8d57338212e7c9676687ac68.msu KB4503327
Windows 10 Version 1903 for 32-bit Systems http://download.windowsupdate.com/c/msdownload/update/software/secu/2019/06/windows10.0-kb4503293-x86_c4e69a424156fbaafe872103cf94cb79d067d8c8.msu KB4503293
Windows 10 Version 1903 for ARM64-based Systems http://download.windowsupdate.com/c/msdownload/update/software/secu/2019/06/windows10.0-kb4503293-arm64_ffd3fb7c0d325004829b63349f4471962479e198.msu KB4503293
Windows 10 Version 1903 for x64-based Systems http://download.windowsupdate.com/c/msdownload/update/software/secu/2019/06/windows10.0-kb4503293-x64_df9098dcf9761b5652aab2666438fb128c16ffe0.msu KB4503293
Windows 7 for 32-bit Systems Service Pack 1 http://download.windowsupdate.com/d/msdownload/update/software/secu/2019/06/windows6.1-kb4503269-x86_525652cb7e59c7ec922ff4e7efc60426d10cbe14.msu KB4503269
Windows 7 for x64-based Systems Service Pack 1 http://download.windowsupdate.com/d/msdownload/update/software/secu/2019/06/windows6.1-kb4503269-x64_d518b12868bb1202a03fbc33c2d716092ae9c2e2.msu KB4503269
Windows 8.1 for 32-bit systems http://download.windowsupdate.com/c/msdownload/update/software/secu/2019/06/windows8.1-kb4503276-x86_6255fed2ad9cefb3fa8c44ff3422dae1531bf7c1.msu KB4503290

KB4503276 (Monthly Rollup)

Windows 8.1 for x64-based systems http://download.windowsupdate.com/c/msdownload/update/software/secu/2019/06/windows8.1-kb4503276-x64_668a79da48ee0d02a5caa94c686ab7dd1270f771.msu KB4503290

KB4503276 (Monthly Rollup)

Windows RT 8.1 No official download link KB4503276 (Monthly Rollup)
Windows Server 2008 for 32-bit Systems Service Pack 2 http://download.windowsupdate.com/c/msdownload/update/software/secu/2019/06/windows6.0-kb4503287-x86_9340ad1c3d474c273eb34ae17cbb288f0b36559e.msu KB4503287

KB 4503273 (Monthly Rollup)

Windows Server 2008 for 32-bit Systems Service Pack 2 (Server Core installation) http://download.windowsupdate.com/c/msdownload/update/software/secu/2019/06/windows6.0-kb4503287-x86_9340ad1c3d474c273eb34ae17cbb288f0b36559e.msu KB4503287

KB 4503273 (Monthly Rollup)

Windows Server 2008 for Itanium-Based Systems Service Pack 2 http://download.windowsupdate.com/c/msdownload/update/software/secu/2019/06/windows6.0-kb4503287-ia64_474810fbe10cdf61d1c4bbfa6ddc3cd99fa9b0cd.msu KB4503287

KB 4503273 (Monthly Rollup)

Windows Server 2008 for x64-based Systems Service Pack 2 http://download.windowsupdate.com/c/msdownload/update/software/secu/2019/06/windows6.0-kb4503287-x64_3938da9a2635d2a6f7447e81121a0c91a43c3dd3.msu KB4503287

KB 4503273 (Monthly Rollup)

Windows Server 2008 for x64-based Systems Service Pack 2 (Server Core installation) http://download.windowsupdate.com/c/msdownload/update/software/secu/2019/06/windows6.0-kb4503287-x64_3938da9a2635d2a6f7447e81121a0c91a43c3dd3.msu KB4503287

KB 4503273 (Monthly Rollup)

Windows Server 2008 R2 for Itanium-Based Systems Service Pack 1 http://download.windowsupdate.com/d/msdownload/update/software/secu/2019/06/windows6.1-kb4503269-ia64_b6b6cd0e80cffa2528503c22a8b02e0c0cc381d2.msu KB4503269
Windows Server 2008 R2 for x64-based Systems Service Pack 1 http://download.windowsupdate.com/d/msdownload/update/software/secu/2019/06/windows6.1-kb4503269-x64_d518b12868bb1202a03fbc33c2d716092ae9c2e2.msu KB4503269
Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation) http://download.windowsupdate.com/d/msdownload/update/software/secu/2019/06/windows6.1-kb4503269-x64_d518b12868bb1202a03fbc33c2d716092ae9c2e2.msu KB4503269
Windows Server 2012 http://download.windowsupdate.com/d/msdownload/update/software/secu/2019/06/windows8-rt-kb4503263-x64_a91a258e1ebaf70e2974b8009a9c2382fcad1241.msu KB4503263

KB4503285 (Monthly Rollup)

Windows Server 2012 (Server Core installation) http://download.windowsupdate.com/d/msdownload/update/software/secu/2019/06/windows8-rt-kb4503263-x64_a91a258e1ebaf70e2974b8009a9c2382fcad1241.msu KB4503263

KB4503285 (Monthly Rollup)

Windows Server 2012 R2 http://download.windowsupdate.com/d/msdownload/update/software/secu/2019/06/windows8.1-kb4503290-x64_b89d6a7b0c552bba293c60a41838d5c517e73c30.msu KB4503290 KB4503276 (Monthly Rollup)
Windows Server 2012 R2 (Server Core installation) http://download.windowsupdate.com/d/msdownload/update/software/secu/2019/06/windows8.1-kb4503290-x64_b89d6a7b0c552bba293c60a41838d5c517e73c30.msu KB4503290

KB4503276 (Monthly Rollup)

Windows Server 2016 http://download.windowsupdate.com/c/msdownload/update/software/secu/2019/06/windows10.0-kb4503267-x64_51ff317097c854ffc5d9ee5badab6fcf7462d324.msu KB4503267
Windows Server 2016 (Server Core installation) http://download.windowsupdate.com/c/msdownload/update/software/secu/2019/06/windows10.0-kb4503267-x64_51ff317097c854ffc5d9ee5badab6fcf7462d324.msu KB4503267
Windows Server 2019 http://download.windowsupdate.com/c/msdownload/update/software/secu/2019/06/windows10.0-kb4503327-x64_7bd62b3999caa3fd8d57338212e7c9676687ac68.msu KB4503327
Windows Server 2019 (Server Core installation) http://download.windowsupdate.com/c/msdownload/update/software/secu/2019/06/windows10.0-kb4503327-x64_7bd62b3999caa3fd8d57338212e7c9676687ac68.msu KB4503327
Windows Server, version 1803 (Server Core Installation) http://download.windowsupdate.com/d/msdownload/update/software/secu/2019/06/windows10.0-kb4503286-x64_9799650b3b8f356486a748619070306997833d17.msu KB4503286
Windows Server, version 1903 (Server Core installation) http://download.windowsupdate.com/c/msdownload/update/software/secu/2019/06/windows10.0-kb4503293-x64_df9098dcf9761b5652aab2666438fb128c16ffe0.msu KB4503293


  • Miscellaneous

  • Statement

This advisory is only used to describe a potential risk. NSFOCUS does not provide any commitment or promise on this advisory. NSFOCUS and the author will not bear any liability for any direct and/or indirect consequences and losses caused by transmitting and/or using this advisory. NSFOCUS reserves all the rights to modify and interpret this advisory. Please include this statement paragraph when reproducing or transferring this advisory. Do not modify this advisory, add/delete any information to/from it, or use this advisory for commercial purposes without permission from NSFOCUS.

  • About NSFOCUS

NSFOCUS IB is a wholly owned subsidiary of NSFOCUS, an enterprise application and network security provider, with operations in the Americas, Europe, the Middle East, Southeast Asia and Japan. NSFOCUS IB has a proven track record of combatting the increasingly complex cyber threat landscape through the construction and implementation of multi-layered defense systems. The company’s Intelligent Hybrid Security strategy utilizes both cloud and on-premises security platforms, built on a foundation of real-time global threat intelligence, to provide unified, multi-layer protection from advanced cyber threats.

For more information about NSFOCUS, please visit:

https://www.nsfocusglobal.com.

NSFOCUS, NSFOCUS IB, and NSFOCUS, INC. are trademarks or registered trademarks of NSFOCUS, Inc. All other names and trademarks are property of their respective firms.