Exploit Released for New Windows Server "WinReg" NTLM Relay Attack
A proof-of-concept exploit for Microsoft's CVE-2024-43532 vulnerability allows NTLM relay attacks, affecting Windows Server 2008-2022 and Windows 10/11, with detection methods recommended by researchers.
Read original article
A proof-of-concept exploit has been released for a vulnerability in Microsoft's Remote Registry client, identified as CVE-2024-43532. This flaw allows attackers to downgrade the security of the NTLM authentication process, potentially enabling them to take control of a Windows domain. The vulnerability affects all Windows Server versions from 2008 to 2022, as well as Windows 10 and 11. It exploits a fallback mechanism in the Remote Registry client that resorts to older, less secure transport protocols when SMB transport is unavailable. By relaying NTLM authentication to Active Directory Certificate Services (ADCS), an attacker could obtain user certificates and create new domain administrator accounts. The vulnerability was initially reported by Akamai researcher Stiv Kupchik in February 2024, but Microsoft dismissed it as a documentation issue. After further evidence was provided, Microsoft confirmed the vulnerability in July and released a fix three months later. The researcher has since shared a working PoC and detailed the exploitation process at a security conference. Recommendations for detection and monitoring of the vulnerability have also been provided.
- A new exploit for a Windows Server vulnerability (CVE-2024-43532) has been released.
- The flaw allows NTLM relay attacks, potentially leading to domain takeover.
- It affects Windows Server versions from 2008 to 2022 and Windows 10/11.
- The vulnerability was initially dismissed by Microsoft but later confirmed.
- Detection methods and monitoring recommendations have been shared by researchers.
Related
Zero-click Windows TCP/IP RCE impacts all systems with IPv6 enabled, patch now
Microsoft warns of a critical TCP/IP vulnerability (CVE-2024-38063) affecting all IPv6-enabled Windows systems, allowing remote code execution. Users should prioritize patching to mitigate risks, as the exploit is wormable.
Local Networks Go Global When Domain Names Collide
Namespace collision from new top-level domains poses security risks for organizations using outdated domain names. Philippe Caturegli identified over 9,000 vulnerable domains, highlighting the need for improved cybersecurity practices.
About that Windows Installer 'make me admin' security hole. How it's exploited
Microsoft patched a critical Windows Installer vulnerability, CVE-2024-38014, allowing privilege escalation. SEC Consult released a tool to identify vulnerable files, urging users to apply the patch promptly.
Microsoft Says Windows Update Zero-Day Being Exploited to Undo Security Fixes
Microsoft warns of a critical vulnerability, CVE-2024-43491, in Windows 10, version 1507, exploited to reverse security fixes. Users should install specific updates. Adobe also issued patches for critical flaws.
How to Break Out of Hyper-V and Compromise Your Admins
PowerShell Remoting and Direct have vulnerabilities due to untrusted CLIXML deserialization, allowing attackers to compromise admin systems. Microsoft acknowledged the issues, but concerns persist. Recommendations include using dedicated workstations and reviewing modules.
0 commentsRelated
Zero-click Windows TCP/IP RCE impacts all systems with IPv6 enabled, patch now
Microsoft warns of a critical TCP/IP vulnerability (CVE-2024-38063) affecting all IPv6-enabled Windows systems, allowing remote code execution. Users should prioritize patching to mitigate risks, as the exploit is wormable.
Local Networks Go Global When Domain Names Collide
Namespace collision from new top-level domains poses security risks for organizations using outdated domain names. Philippe Caturegli identified over 9,000 vulnerable domains, highlighting the need for improved cybersecurity practices.
About that Windows Installer 'make me admin' security hole. How it's exploited
Microsoft patched a critical Windows Installer vulnerability, CVE-2024-38014, allowing privilege escalation. SEC Consult released a tool to identify vulnerable files, urging users to apply the patch promptly.
Microsoft Says Windows Update Zero-Day Being Exploited to Undo Security Fixes
Microsoft warns of a critical vulnerability, CVE-2024-43491, in Windows 10, version 1507, exploited to reverse security fixes. Users should install specific updates. Adobe also issued patches for critical flaws.
How to Break Out of Hyper-V and Compromise Your Admins
PowerShell Remoting and Direct have vulnerabilities due to untrusted CLIXML deserialization, allowing attackers to compromise admin systems. Microsoft acknowledged the issues, but concerns persist. Recommendations include using dedicated workstations and reviewing modules.