Microsoft Security Advisory (974926)

Purpose of Advisory: To clarify the actions that Microsoft is taking to extend protection of user credentials when using Integrated Windows Authentication (IWA).

Advisory Status: Advisory published.

Recommendation: Review the suggested actions and configure as appropriate.

This advisory discusses the following software.

*Windows 7 and Windows Server 2008 R2 provide Extended Protection for Authentication as a feature of the Security Support Provider Interface (SSPI). Applications running on these operating systems may still be exposed to credential relaying if either the operating system or the application is not configured to support this feature. Extended Protection for Authentication is not enabled by default.

What is the scope of the advisory? 
This security advisory provides a comprehensive view of the strategy that Microsoft applies to protect against credential relaying. It provides an overview of the updates currently available to address this issue comprehensively.

What causes this threat? 
This advisory addresses the potential for authentication relaying. These attacks take place when an attacker succeeds in obtaining authentication credentials, for instance through a man-in-the-middle attack, or by convincing a user to click on a link. This link could cause the client to access an attacker-controlled service that requests the user to authenticate using IWA.

Forms of credential relaying referred to in this advisory are:

• Credential forwarding: domain credentials that are obtained by an attacker can be used to log on to other services that the victim is known to have access to. The attacker could then acquire permissions identical to that of the victim on the target service.
• Credential reflection: domain credentials that are obtained by an attacker can be used to log back on to the victim’s machine. The attacker would then acquire permissions on that machine identical to that of the victim.

In order for these attacks to succeed, an attacker requires a user to connect to the attacker's server. This can be accomplished by attacks that involve the attacker being present on the local network, such as address resolution protocol (ARP) cache poisoning.

The impact of these attacks increases when an attacker convinces a user to connect to a server outside of the organizational boundary. Specific scenarios that may allow this to occur are as follows:

• DNS devolution, a Windows DNS client feature that allows Windows DNS clients to resolve DNS queries for single-label unqualified hostnames. A malicious user could register a specific host name outside of the organization’s boundary that, if clients are configured incorrectly, can be unintentionally contacted by a client when it devolves outside of the organizational boundary while attempting to access that host name.
• DNS spoofing, where an attacker could exploit vulnerabilities in the Windows Domain Name System (DNS), allowing spoofing. These attacks could allow a remote attacker to redirect network traffic intended for systems on the Internet to the attacker’s system.
• NetBIOS Name Service (NBNS) spoofing, where the user being enticed to run a specially crafted Active code applet (for instance Java or Flash) that would initiate a query for a local hostname, and subsequently introduces spoofed NBNS responses to the client with a remote IP address. Upon connecting to this hostname, the client would consider this a local machine and attempt IWA credentials, thereby exposing these to the remote attacker;

Microsoft has released several updates to help address these scenarios and this advisory aims to summarize how customers can best assess risk and issues in their specific deployment scenario.

What is Integrated Windows Authentication (IWA)? 
With Integrated Windows Authentication (formerly called NTLM, and also known as Windows NT Challenge/Response Authentication), the user name and password (credentials) are hashed before being sent across the network. When you enable Integrated Windows Authentication, the client proves its knowledge of the password through a hashed cryptographic exchange with your Web server. Integrated Windows Authentication includes the Negotiate, Kerberos, and NTLM authentication methods.

What is a man-in-the-middle attack? 
A man-in-the-middle attack occurs when an attacker reroutes communication between two users through the attacker’s computer without the knowledge of the two communicating users. The attacker can monitor and read the traffic before sending it on to the intended recipient. Each user in the communication unknowingly sends traffic to and receives traffic from the attacker, all the while thinking that they are communicating only with the intended party.

Which actions has Microsoft taken to address DNS spoofing attacks? 
Microsoft has released the following security bulletins to address DNS spoofing attacks:

• MS08-037 addresses two vulnerabilities that could allow an attacker to spoof DNS records and insert them into the DNS server cache.
• MS09-008 addresses two vulnerabilities that could allow an attacker to spoof DNS records and insert them into the DNS server cache, and two vulnerabilities which could allow an attacker to maliciously register network infrastructure-related host names (WPAD and ISATAP) that could be used to accommodate further attacks.

Which actions has Microsoft taken to address NBNS spoofing attacks? 
Microsoft has worked with the third-party vendors that are affected by this vulnerability and they have implemented mitigation against this attack vector. This issue was addressed in Adobe Flash Player in Adobe Security Bulletin APSB08-11 and in the Sun Java Runtime Environment in Sun Alert 103079.

What is address resolution protocol (ARP) cache poisoning? 
ARP cache poisoning is an attack that consists of an attacker’s computer, present on the same subnet as the victim, sending spoofed or gratuitous ARP responses. These will usually attempt to confuse clients into believing that the attacker is the default gateway on the network, and result in the victim computer sending information to the attacker as opposed to the gateway. Such an attack may be leveraged to set up a man-in-the-middle attack.

What is Transport Layer Security (TLS)? 
The Transport Layer Security (TLS) Handshake Protocol is responsible for the authentication and key exchange necessary to establish or resume secure sessions. When establishing a secure session, the Handshake Protocol manages the following:

• Cipher suite negotiation
• Authentication of the server and optionally, the client
• Session key information exchange

For more information, see the TechNet article, How TLS/SSL works.

What versions of Windows are associated with this advisory? 
Credential forwarding and reflection affects all platforms that have the ability to perform Integrated Windows Authentication. The Extended Protection for Authentication feature is included in Windows 7 and Windows Server 2008 R2, and was made available for Windows XP, Windows Server 2003, Windows Vista and Windows Server 2008 in a non-security update released as Microsoft Security Advisory 973811. In order to fully protect authentication credentials, specific applications on these operating systems still need to opt in to the mechanism. The Extended Protection feature is not available for the Microsoft Windows 2000 operating system.

What actions has Microsoft taken to address credential reflection attacks? 
Applications are protected against credential reflection attacks if they properly utilize the Service Principal Name (SPN) when authenticating against a service.

Prior to publication of this security advisory, Microsoft had released the following security updates to ensure Windows components and Microsoft applications properly opt in to this mechanism to provide protection against credential reflection attacks:

• Microsoft Security Bulletin MS08-068 addresses reflection of credentials when connecting to an attacker’s SMB server.
• Microsoft Security Bulletin MS08-076 addresses reflection of credentials when connecting to an attacker’s Windows Media server.
• Microsoft Security Bulletin MS09-013 addresses reflection of credentials when connecting to an attacker’s Web server using the WinHTTP Application Programming Interface.
• Microsoft Security Bulletin MS09-014 addresses reflection of credentials when connecting to an attacker’s Web server using the WinINET Application Programming Interface.
• Microsoft Security Bulletin MS09-042 addresses reflection of credentials when connecting to an attacker’s telnet server.

What actions has Microsoft taken to address credential forwarding attacks? 
Some protection against credential forwarding is provided by the Windows Security Support Provider Interface (SSPI). This interface is implemented in Windows 7 and Windows Server 2008 R2, and has been made available as a non-security update for Windows XP, Windows Server 2003, Windows Vista and Windows Server 2008.

In order to be protected, additional non-security updates need to be deployed to provide the same protection for specific client- and server components and applications. This feature applies changes to authentication on both the client and server end and should be deployed carefully. More information on Extended Protection for Authentication, and the non-security updates released to implement this mechanism, can be found in Microsoft Security Advisory 973811.

How do these updates address credential forwarding attacks? 
The SSPI non-security update Microsoft Security Advisory 973811 modifies the SSPI in order to extend the current Integrated Windows Authentication (IWA) mechanism so that authentication requests can be bound to both the SPN of the server that the client attempts to connect to, as well as to the outer Transport Layer Security (TLS) channel over which the IWA authentication takes place, if such channel exists. This is a base update that does not address a security vulnerability in itself, but deploys this as an optional feature that application vendors can choose to configure.

The application-specific non-security updates modify individual system components that perform IWA authentication so that the components opt in to the protection mechanisms implemented by the layer 1 non-security update. More information on enabling Extended Protection for Authentication can be found in Microsoft Security Advisory 973811 and the corresponding Microsoft Knowledge Base Article 973811.

Which actions has Microsoft taken to address DNS devolution? 
DNS devolution can be used as an attack vector to exploit this vulnerability outside of a corporate network. Devolution is a Windows DNS client feature by which Windows DNS clients resolve DNS queries for single-label unqualified hostnames. Queries are constructed by appending the Primary DNS suffix (PDS) to the hostname. The query is retried by systematically removing the left-most label in the PDS until the hostname and remaining PDS resolves, or only two labels remain in the stripped PDS. For example, Windows clients looking for "Single-label" in the western.corp.contoso.co.us domain will progressively query Single-label.western.corp.contoso.co.us, Single-label.corp.contoso.co.us, Single-label.contoso.co.us, and then Single-label.co.us until it finds a system that resolves. This process is referred to as devolution.

An attacker could host a system with a single-label name outside of an organization's boundary and due to DNS devolution may successfully get a Windows DNS client to connect to it as though it were inside the organizational boundary. For example, if the DNS suffix of an enterprise is corp.contoso.co.us and an attempt is made to resolve an unqualified hostname of "Single-Label", the DNS resolver will try Single-Label.corp.contoso.co.us. If that is not found, it will try, via DNS devolution, to resolve Single-label.contoso.co.us. If that is not found, it will try to resolve Single-label.co.us, which is outside of the contoso.co.us domain. This process is referred to as devolution.

As one example, if this host name is WPAD, an attacker who sets up WPAD.co.us could provide a malicious Web Proxy Auto-Discovery file to configure the client proxy settings.

Microsoft released Security Advisory 971888 and an associated update to provide organizations with more granular control over how Windows clients perform DNS devolution. This update allows an organization to prevent clients from devolving outside of the organizational boundary.

What can third-party developers do to help address credential relaying? 
Third-party developers should consider implementing Extended Protection for Authentication by opting in to this new protection mechanism described in Microsoft Security Advisory 973811.

More information on how developers can opt into this mechanism can be found in the MSDN article, Integrated Windows Authentication with Extended Protection.

What is a Service Principal Name (SPN)? 
A Service Principal Name (SPN) is the name by which a client uniquely identifies an instance of a service. If you install multiple instances of a service on computers throughout a network, each instance must have its own SPN. A given service instance can have multiple SPNs if there are multiple names that clients might use for authentication. For example, an SPN always includes the name of the host computer on which the service instance is running, so a service instance might register an SPN for each name or alias of its host.

• Review Microsoft Security Advisory 973811, Extended Protection for Authentication, and implement the associated updates 
  This security advisory announces the release of non-security updates that implement Extended Protection for Authentication. This feature helps protect authentication attempts against relaying attacks.
• Review Microsoft Security Advisory 971888, Update for DNS Devolution 
  This security advisory announces the release of an optional non-security update that allows system administrators to configure DNS devolution with greater specificity.
• Review the Microsoft Knowledge Base Article that is associated with this advisory 
  Customers who are interested in learning more about this security advisory should review Microsoft Knowledge Base Article 974926.
• Protect Your PC 
  We continue to encourage customers to follow our Protect Your Computer guidance of enabling a firewall, getting software updates and installing antivirus software. Customers can learn more about these steps by visiting Protect Your Computer.
• For more information about staying safe on the Internet, customers should visit Microsoft Security Central.
• Keep Windows Updated 
  All Windows users should apply the latest Microsoft security updates to help make sure that their computers are as protected as possible. If you are not sure whether your software is up to date, visit Windows Update, scan your computer for available updates, and install any high-priority updates that are offered to you. If you have Automatic Updates enabled, the updates are delivered to you when they are released, but you have to make sure you install them.