A new vulnerability has been identified which could compromise the security of Windows users. The vulnerability discussed in this Cybersecurity Threat Advisory, known as “forced authentication,” gives an attacker access to a user’s NT LAN Manager (NTLM) tokens by tricking the victim into opening specially crafted Microsoft Access files.
What is the threat?
The forced authentication attack takes advantage of a feature in the database management system which allows users to link to external data sources. This can be abused by threat actors to leak a user’s NTLM tokens to any attacker-controlled server, via any TCP port. When the file is opened and the table linked is clicked, the victim client automatically contacts an attacker-controlled server for authentication. This allows the attacker to launch an authentication process with a targeted NTLM server located in the victim’s organization.
Why is it noteworthy?
Any common Office file type, such as “.accdb,” “.mdb,” or “.rtf,” can be used to launch the attack. To execute the attack, threat actors set up their own servers and provide their IP address, tricking the victim to initiate a relay attack on the server in the same organization as the victim.
What is the exposure or risk?
The forced authentication vulnerability can be hidden in any file type, increasing the likelihood of compromise. Any user who has Microsoft Access is likely at risk. NTLM is an authentication “challenge-response” protocol used to authenticate users when they sign in. It has been found over the years to be vulnerable to several attacks including brute-force, pass-the-hash, and relay attacks.
What are the recommendations?
Barracuda MSP recommends the following actions to limit the impact of forced authentication:
- Update your Microsoft Office/Access to the latest version.
- If using Office 2010, Office 2013, Office 2016, Office 2019, or Office 365, third-party vendors have released unofficial fixes for these products. This can keep users secure from potential exploitation until a full patch is deployed.
For more in-depth information on the recommendations, please visit the following links:
- New Vulnerability Exploits Microsoft Access to Leak Windows User Data (isp.page)
- Hackers Can Exploit ‘Forced Authentication’ to Steal Windows NTLM Tokens (thehackernews.com)
- 0patch Blog: Free Micropatches For Microsoft Access Forced Authentication Through Firewall (0day)
If you have any questions about this Cybersecurity Threat Advisory, please contact Barracuda XDR’s Security Operations Center.