A vulnerability in Microsoft's Active Directory could enable an attacker to change user passwords without detection, according to a new report from security firm Aorato. The flaw could potentially leave millions of users at risk, though Microsoft claims the issue is not new and there are best practices to limit risk.
Active Directory is widely used in enterprises around the world as a technology that provides access and authentication.
"When you change the user's password, it is the holy grail of authentication since the attacker gets full control over the victim's identity," Tal Be'ery, vice president of research at Aorato told eWEEK. "This is why the vulnerability that we have discovered that enables an attacker to change the Active Directory password is so important."
The fundamental vulnerability in Active Directory is due to the fact that the authentication mechanism can be downgraded from Kerberos to the less secure Windows NT LAN Manager (NTLM), Be'ery said. There are well-known techniques for stealing NTLM-based authentication credentials, he said, including one known as "Pass-the-Hash," which Microsoft has warned about for years.
Be'ery said that all modern versions of Active Directory have some backward-compatibility options that could enable an attacker to force the end user to authenticate over NTLM instead of the more secure Kerberos authentication method. With NTLM, the attacker is able to change the user's password to a new one without knowing the user's previous password, he added.
Aorato informed Microsoft of the issue and also provided the company with the proof-of-concept tool used to trigger the vulnerability, according to Be'ery. Microsoft, however, doesn't consider the Aorato-reported issue a new vulnerability.
"This is a well-known industry limitation in the Kerberos Network Authentication Service (V5) standard (RFC 4120)," Microsoft said in a statement emailed to eWEEK. "Information on how to manage this limitation when using Windows is available at: Preventing Kerberos change password using RC4 secret keys."
Be'ery emphasized that Aorato doesn't have any argument with Microsoft over the Active Directory authentication vulnerability.
"They have agreed on the facts," Be'ery said. "They claim it is a by-design flaw, but it is still a flaw that needs to be fixed."
Going a step further, Be'ery notes that Windows log files would not typically be able to help an enterprise identify that an attacker was able to downgrade Active Directory authentication and change a user's password.
Be'ery suggests that organizations consider directly monitoring their networking traffic, since logs are only a summary.
"If you are directly monitoring traffic to Active Directory information, you can see the abnormal change that the user is downgrading their encryption level," he said.
In the final analysis though, Be'ery wants to see Microsoft do more to limit the risk for users.
"I hope that down the road, Microsoft will add some controls that will enable system administrators to restrict the use of older authentication protocols and encryption," he said.
Sean Michael Kerner is a senior editor at eWEEK and InternetNews.com. Follow him on Twitter @TechJournalist.