Aorato Uncovers Critical Microsoft Active Directory Vulnerability
Microsoft claims the issue is well-known and has already provided information on how to limit the risk.A vulnerability in Microsoft's Active Directory could enable an attacker to change user passwords without detection, according to a new report from security firm Aorato. The flaw could potentially leave millions of users at risk, though Microsoft claims the issue is not new and there are best practices to limit risk. Active Directory is widely used in enterprises around the world as a technology that provides access and authentication. "When you change the user's password, it is the holy grail of authentication since the attacker gets full control over the victim's identity," Tal Be'ery, vice president of research at Aorato told eWEEK. "This is why the vulnerability that we have discovered that enables an attacker to change the Active Directory password is so important." The fundamental vulnerability in Active Directory is due to the fact that the authentication mechanism can be downgraded from Kerberos to the less secure Windows NT LAN Manager (NTLM), Be'ery said. There are well-known techniques for stealing NTLM-based authentication credentials, he said, including one known as "Pass-the-Hash," which Microsoft has warned about for years.
Be'ery said that all modern versions of Active Directory have some backward-compatibility options that could enable an attacker to force the end user to authenticate over NTLM instead of the more secure Kerberos authentication method. With NTLM, the attacker is able to change the user's password to a new one without knowing the user's previous password, he added.