Shulou(Shulou.com)05/31 Report--

In this issue, the editor will bring you about the CVE-2021-1678 Windows vulnerability that can be exploited remotely. The article is rich in content and analyzes and describes it from a professional point of view. I hope you can get something after reading this article.

Microsoft fixed a security feature bypass vulnerability in Windows NT LAN Manager (NTLM) on Tuesday, January, and more details about the vulnerability have emerged.

The vulnerability is numbered CVE-2021-1678 (CVSS score 4.3). Although the exact details of the vulnerability are still unknown, the vulnerability can be exploited remotely and exists in fragile components associated with the network protocol stack.

Crowdstrike researchers say that if not fixed, attackers can use NTLM relays to exploit this vulnerability to enable remote code execution.

"the vulnerability allows attackers to relay NTLM authentication sessions to the compromised computer and use the printer daemon MSRPC interface to remotely execute code on the compromised computer," the researchers said in a security announcement on Friday.

A NTLM relay attack is a man-in-the-middle attack that usually allows attackers with network access to hijack legitimate authentication traffic between the client and server and relay these authenticated authentication requests to access network services.

Successful exploitation could also allow an attacker to run code remotely on a Windows computer or move horizontally across the network to a critical system, such as a server hosting a domain controller, by reusing the NTLM credentials pointing to the compromised server.

Although such attacks can be prevented by SMB and LDAP signing and enabling enhanced authentication protection (EPA), CVE-2021-1678 exploits a flaw in MSRPC (Microsoft remote procedure call), making it vulnerable to relay attacks.

Specifically, the researchers found that IRemoteWinspool (the RPC interface managed by the remote printer daemon) can be used to perform a series of RPC operations and write arbitrary files on the target computer using hijacked NTLM sessions.

Microsoft said in a support document that it fixed the vulnerability by "raising the level of RPC authentication and introducing new policies and registry entries that allow customers to disable or enable mandatory mode on the server side to raise the authentication level."

In addition to installing the January 12 Windows update, Microsoft urged users to enable mandatory mode on the print server and said that from June 8, 2021, all Windows devices will enable this setting by default.

This is how the CVE-2021-1678 Windows vulnerability that can be remotely exploited is shared by the editor. If you happen to have similar doubts, please refer to the above analysis to understand. If you want to know more about it, you are welcome to follow the industry information channel.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.