6 vulnerabilities Microsoft hasn’t patched (or can’t)

You are fully patched. You are fully secure, right? Well, not so fast. Several Microsoft issues may or may not receive a patch. Some are configuration issues that cannot be patched. On GitHub, Christoph Falta started the “won’t fix” list of security issues that Microsoft has either not yet patched, won’t patch, or are issues that need manual adjustment to fix. Here’s a review of the issues on the list:

1. Spoolsample

As Falta indicates, “SpoolSample abuses a functionality of the MS-RPRN (the print system remote protocol) to coerce target A to authenticate to a destination of the attackers choosing (target B). This destination usually is another host running an NTLM relay tool (like ntlmrelayx or inveigh), which in turn relays the target A to the final target, target C”.

The attack was first presented at DerbyCon 2018 by Lee Christensen, Will Schroeder, Matt Nelson and called “The Unintended Risks of Trusting Active Directory”. As Sean Metcalf pointed out in his blog, if you have an account with unconstrained delegation configured and the Print Spooler service is running on a computer, attackers can get that computers credentials sent to the system with unconstrained delegation as a user. A similar issue was blogged in May 2020 as “Print Spoofer” as well as a recent post about Workstation Takeover using a similar process. You’ll note that many of the known attack sequences that use some sort of print spooler process and active directory have not only been around for years, but also are seeing new interest as a result of recent print spooler vulnerabilities.

2. PetitPotam attack

The PetitPotam attack is used to perform a classic NTLM relay attack. You are potentially vulnerable to this attack if you are using Active Directory Certificate Services (ADCS) with Certificate Authority Web Enrollment or Certificate Enrollment Web Service. Microsoft recommends that you enable Extended Protection for Authentication (EPA) or SMB signing.

Microsoft has sent out an advisory for system administrators to stop using the now deprecated Windows NT LAN Manager (NTLM) to thwart an attack. Therein lies the rub. You may find that you still use NTLM inside your office for a key application. Testing is key to selecting the proper mitigation.

3. ADCS – ESC8

Another attack sequence that targets ADCS starts with its web interface, which allows NTLM authentication by default and doesn’t reinforce relay mitigations. Referred to as ADCS – ESC8, a full analysis of the potential for attacks will be presented at BlackHat by Will Schroeder and Lee Christensen of SpecterOps. The current attack sequence allows an attacker to relay authentication to the web interface and request a certificate in the name of the relayed account. Once again, it’s abusing NTLM in your network to take over your domain.

4. RemotePotato0

The next potential attack involves a privilege escalation from user to domain admin. As noted, RemotePotato0 abuses the DCOM activation service and trigger an NTLM authentication of any user currently logged on in the target machine. It is required that a privileged user is logged on the same machine (e.g., a domain admin user). Microsoft is stating that it won’t fix the issue and it’s up to us to decide the mitigations to take.

5. PrintNightmare

PrintNightmare was partially fixed in the July monthly update process, but it still causes concern as indicative of the problems with the print spooler service that still need to be addressed. In this case, an attacker can introduce a malicious DLL that can use the print spooler service to take more control of the computer or network. It can be used for remote code execution as well as privilege escalation.

The only real mitigation for this and any other future print spooler vulnerability is to disable the print spooler service. This is not reasonable for the majority of those of us that need to print. For those with domain controllers, it’s recommended to disable the print spooler service. Security researcher Benjamin Delpy recently created an internet-accessible print server that installs Windows system privileges.

There are several other ways to block print spooler-based attacks. It’s recommended to block RPC and SMB traffic at your boundary by blocking outbound port 135 (RPC Endpoint mapper) and 139/445 (SMB). In addition, use Group Policy to limit the servers or block them completely with the “package point and print – approved servers”.

6. SeriousSAM

Last but not least is the issue with improper permissions called SeriousSAM. Microsoft is expected to fix this vulnerability, which is due to improper permissions being set on various Windows 10 versions since 1809. It was discovered when a researcher found incorrect settings on Windows 11 and then realized that they were also set improperly on Windows 10. It allows users (and attackers) to access the saved passwords in the SAM file. When the computer is in use, you can’t read the SAM file. If a VSS copy of the computer is made, however, the password hive is exposed in the shadow file copy. Review your network to see how impacted you are. Some computer deployments were found to be hardly impacted at all.

These issues point out the importance of your security teams being aware of issues that are not patched. A good way for them to stay up to date is to follow relevant social media discussions on Twitter and other forums. Bottom line: Your network can’t be protected just with patching. Be aware of what is going outside of your network as much as you are aware of what’s going on inside of it.