October 22, 2024 at 01:33PM
Public exploit code has been released for CVE-2024-43532, a vulnerability in Microsoft’s Remote Registry client that may allow attackers to downgrade authentication security. It affects Windows server versions from 2008 to 2022 and Windows 10/11, enabling potential domain takeover through NTLM authentication relay attacks. A fix has been issued.
### Meeting Takeaways on CVE-2024-43532 Vulnerability
1. **Overview of the Vulnerability**:
– **CVE-2024-43532** is a newly disclosed vulnerability in Microsoft’s Remote Registry client that allows potential control over Windows domains by downgrading authentication security.
2. **Mechanism of the Exploit**:
– The flaw exploits a fallback mechanism in the Remote Registry client that uses outdated transport protocols when SMB transport is unavailable.
– The authentication level involved is weak and does not ensure the integrity of the connection, allowing for NTLM relay attacks.
3. **Affected Systems**:
– This vulnerability impacts all versions of Windows Server from 2008 to 2022, as well as Windows 10 and Windows 11.
4. **Potential Consequences**:
– An attacker can authenticate to a server and create new domain administrator accounts by intercepting and relaying the NTLM authentication handshake to services like Active Directory Certificate Services (ADCS), potentially leading to domain takeover.
5. **Timeline of Discovery and Disclosure**:
– Discovered by Akamai researcher **Stiv Kupchik** on February 1; reported to Microsoft who initially dismissed it as a documentation issue.
– Report was resubmitted with further details on June 25, confirmed by Microsoft on July 8, and a fix was released three months later.
6. **Public Proof-of-Concept (PoC)**:
– A working PoC for the vulnerability has been shared, including details on setting up a relay server and obtaining user certificates.
7. **Additional Insights from Akamai**:
– Akamai’s report provides methods to check if the Remote Registry service is active and YARA rules for detecting vulnerable systems.
– It is recommended to utilize Event Tracing for Windows (ETW) to monitor specific RPC calls related to the WinReg RPC interface.
8. **Related Threat Landscape**:
– NTLM relay attacks have been utilized in the past by threat actors such as the LockFile ransomware gang.
9. **Related Articles**:
– Mention of other vulnerabilities and exploits that are currently under scrutiny or have been exploited, indicating a broader security concern across various systems.
This summary serves to highlight the critical takeaways regarding CVE-2024-43532, its implications, and recommended remediation steps for impacted systems.