Critical Windows RPC Flaw Enables NTLM Relay Attacks
Akamai has discovered a vulnerability in the MS-RPC client, enabling an NTLM Relay attack. RPC serves as a critical component of Windows, supporting numerous services. Despite security measures being in place, certain components remain susceptible to exploitation.
The privilege escalation issue CVE-2024-43532 (CVSS score: 8.8) arises from the use of legacy transport protocols in the failover mechanism of the WinReg client. If the SMB protocol becomes unavailable, the system switches to insecure transport protocols, allowing attackers to execute an NTLM Relay attack by relaying authentication data.
Exploiting this vulnerability allows the interception of NTLM client authentication data and its redirection to Active Directory Certificate Services (ADCS), enabling attackers to request a user certificate for further domain authentication. This can result in the creation of new privileged domain-level accounts, granting long-term control over the system.
The vulnerability affects all versions of Windows that have not applied the relevant update. Microsoft addressed the issue in October 2024 as part of Patch Tuesday, following responsible disclosure by researchers in February 2024.
The issue is tied to the BaseBindToMachine function in advapi32.dll. In certain instances, the function employs an insecure authentication level, RPC_C_AUTHN_LEVEL_CONNECT, which allows attackers to carry out a Machine-in-the-Middle attack. When the primary SMB transport is unavailable, the client switches to TCP/IP and other protocols, exposing the system to data interception and subsequent attack.
Attackers can utilize tools such as ntlmrelayx to intercept and relay authentication data. This vulnerability, in particular, enables interaction with ADCS, the requesting of certificates, and their subsequent use for domain authentication.
As a mitigation measure, it is recommended to immediately apply the October Microsoft update and conduct an audit of Remote Registry usage across the network. YARA rules can be employed to identify vulnerable clients by tracking calls to RegConnectRegistry from advapi32.dll.
Additionally, experts advise disabling the Remote Registry service if it is not in use and configuring segmentation rules for traffic directed at this service. Monitoring RPC traffic using Event Tracing for Windows (ETW) can also assist in detecting suspicious activity and preventing attacks.
