Windows Remote Registry Client EoP Flaw Exposes Systems to Relay Attacks


A critical elevation of privilege (EoP) vulnerability, identified as CVE-2024-43532, has been discovered in the Windows Remote Registry client. This vulnerability potentially allows attackers to relay NTLM authentication and gain unauthorized access to Windows systems.

It carries a high CVSS score of 8.8 and affects all unpatched Windows versions. Akamai researcher Stiv Kupchik uncovered the vulnerability, which exploits a fallback mechanism in the WinReg client implementation.

SIEM as a Service

This mechanism uses obsolete transport protocols insecurely when the SMB transport is unavailable. The flaw was responsibly disclosed to the Microsoft Security Resource Center in February 2024 and was subsequently patched as part of October’s Patch Tuesday 2024.

Windows Remote Registry Client EoP Flaw

The vulnerability stems from the BaseBindToMachine function in advapi32.dll, a core component of the Windows API. When attempting to connect to a remote registry using a UNC path, the function may fall back to using insecure authentication methods if the initial SMB connection fails.

Join ANY.RUN's FREE webinar on How to Improve Threat Investigations on Oct 23 - Register Here 

Specifically, the issue arises when:

  1. The connection falls back to alternative protocols like TCP/IP.
  2. The RpcBindingSetAuthInfoA function is called with an authentication level of RPC_C_AUTHN_LEVEL_CONNECT.
Windows Remote Registry Client EoP Flaw Exposes Systems to Relay Attacks
RPC Relay Server

This insecure configuration allows attackers to intercept and relay the client’s NTLM authentication details.

By exploiting this vulnerability, an attacker can:

  1. Intercept the NTLM authentication attempt.
  2. Relay the credentials to the Active Directory Certificate Services (ADCS).
  3. Request a user certificate for further authentication in the domain.

Stiv Kupchik said this attack chain potentially enables adversaries to escalate privileges and gain unauthorized access to sensitive systems within a Windows domain environment.

While the Remote Registry service is not enabled by default on all Windows machines, several critical Windows components and services utilize the vulnerable WinAPI functions, including:

  • AD CS (certutil and certsrv)
  • Encrypting File System (EFS)
  • Distributed File System (DFS)

These services may inadvertently expose systems to vulnerability. To detect and mitigate this vulnerability, organizations can:

  1. Use osquery to check the status of the Remote Registry service:
   SELECT display_name, status, start_type, pid FROM services WHERE name="RemoteRegistry"
  1. Employ YARA rules to identify binaries relying on vulnerable WinAPI functions.
  2. Implement network segmentation policies to monitor and control traffic to the RemoteRegistry service.
  3. Utilize Event Tracing for Windows (ETW) to monitor RPC traffic, focusing on the WinReg RPC interface UUID.
  4. Apply the latest Microsoft security patches to address the vulnerability.

This discovery highlights the ongoing challenges in securing legacy protocols and interfaces within modern operating systems.

The vulnerability underscores the importance of comprehensive network defenses and regular security audits to identify and mitigate risks associated with legacy interfaces and protocols.

Free Webinar on How to Protect Small Businesses Against Advanced Cyberthreats -> Watch Here



Source link