2019年6月12日,金山云安全應急響應中心監(jiān)控到微軟發(fā)布了編號為cve-2019-1040的漏洞補丁��, 該漏洞允許攻擊者在域控環(huán)境下遠程控制Windows域內的任何機器����,危害較大, 建議用戶及時安裝系統(tǒng)更新�����,避免被黑客攻擊�。
漏洞編號:
CVE-2019-7304
漏洞名稱:
微軟域認證漏洞
漏洞危害等級:
高危
漏洞描述:
微軟Windows域認證機制中存在漏洞,攻擊者作為中間人, 在NTLM認證時�����, 可以將NTLM數(shù)據包中的驗證標志位修改為不進行驗證���,從而繞過服務器端的驗證功能���,成功利用此漏洞的攻擊者可以獲得降級NTLM安全功能的能力。
影響版本:
Windows 10 for 32-bit Systems
Windows 10 for x64-based Systems
Windows 10 Version 1607 for 32-bit Systems
Windows 10 Version 1607 for x64-based Systems
Windows 10 Version 1703 for 32-bit Systems
Windows 10 Version 1703 for x64-based Systems
Windows 10 Version 1709 for 32-bit Systems
Windows 10 Version 1709 for ARM64-based Systems
Windows 10 Version 1709 for x64-based Systems
Windows 10 Version 1803 for 32-bit Systems
Windows 10 Version 1803 for ARM64-based Systems
Windows 10 Version 1803 for x64-based Systems
Windows 10 Version 1809 for 32-bit Systems
Windows 10 Version 1809 for ARM64-based Systems
Windows 10 Version 1809 for x64-based Systems
Windows 10 Version 1903 for 32-bit Systems
Windows 10 Version 1903 for ARM64-based Systems
Windows 10 Version 1903 for x64-based Systems
Windows 7 for 32-bit Systems Service Pack 1
Windows 7 for x64-based Systems Service Pack 1
Windows 8.1 for 32-bit systems
Windows 8.1 for x64-based systems
Windows RT 8.1
Windows Server 2008 for 32-bit Systems Service Pack 2
Windows Server 2008 for 32-bit Systems Service Pack 2 (Server Core installation)
Windows Server 2008 for Itanium-Based Systems Service Pack 2
Windows Server 2008 for x64-based Systems Service Pack 2
Windows Server 2008 for x64-based Systems Service Pack 2 (Server Core installation)
Windows Server 2008 R2 for Itanium-Based Systems Service Pack 1
Windows Server 2008 R2 for x64-based Systems Service Pack 1
Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation)
Windows Server 2012
Windows Server 2012 (Server Core installation)
Windows Server 2012 R2
Windows Server 2012 R2 (Server Core installation)
Windows Server 2016
Windows Server 2016 (Server Core installation)
Windows Server 2019
Windows Server 2019 (Server Core installation)
Windows Server, version 1803 (Server Core Installation)
Windows Server, version 1903 (Server Core installation)
修復方案:
1. 執(zhí)行修補程序:確保為工作站和服務器打上了所需的補丁��,要注意��,單獨的補丁是不夠的�,公司還需要進行配置更改,以便得到完全的保護���。
2. 配置更改:
a) 強制SMB簽名:為了防止攻擊者發(fā)起更簡單的NTLM RELAY攻擊��,請務必在網絡中的所有計算機上啟用 SMB 簽名���。
b) 禁用NTLMv1:該版本相當不安全�,建議通過適當?shù)慕M策略來完全禁用。
c) 強制LDAP/S簽名:為了防止LDAP中的NTLM RELAY攻擊��,在域控制器上強制LDAP簽名和LDAPS通道綁定。
d) 強制實施EPA:為了防止NTLM在web服務器上被黑客用來發(fā)動中繼攻擊���,強制所有web服務器(OWA�����、ADFS)只接受EPA的請求���。
e) 減少NTLM的使用:因為即便采用了完整的安全配置,NTLM 也會比 Kerberos 帶來更大的安全隱患�,建議在不必要的環(huán)境中徹底棄用。
參考鏈接:
https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-1040
北京金山云網絡技術有限公司
2019/06/12