Microsoft issued an update yesterday to resolve 2 vulnerabilities within Windows that can be used to allow an attacker to authenticate and run code remotely.
TL DR: Install the updates for CVE-2019-1019 and CVE-2019-1040 and follow the recommend guidelines in Preempt’s blog post:
If attackers exploited these issues; what would the result be?
Preempt responsibly disclosed 2 vulnerabilities as a result of 3 logic flaws in NTLM to Microsoft. As a result of previous disclosures Microsoft added the Message Integrity Code (MIC) field designed to guarantee that attackers cannot tamper with NTLM messages in any way. Preempt bypassed this allowing them to change NTLM authentication fields, reducing security.
Next; Server Message Block (SMB) Session Signing was bypassed by Preempt allowing attackers to relay NTLM authentication messages and establish SMB and DCE/RPC sessions. Enhanced Protection for Authentication (EPA) was bypassed allowing the altering of “NTLM messages to generate legitimate channel binding information.” Finally, their bypasses could allow “attackers to relay NTLM authentication requests to any server in the domain, including domain controllers, while establishing a signed session to perform remote code execution.” This potentially could lead to the entire Active Directory domain becoming compromised by moving laterally from system to system.
Moreover; Preempt’s blog post provides the necessary recommendations to fully mitigate these issues.
For reference I have linked to how to enable the following mitigations: