2019年6月12日�����,金山云安全應(yīng)急響應(yīng)中心監(jiān)控到微軟發(fā)布了編號(hào)為cve-2019-1040的漏洞補(bǔ)丁�����, 該漏洞允許攻擊者在域控環(huán)境下遠(yuǎn)程控制Windows域內(nèi)的任何機(jī)器,危害較大���, 建議用戶及時(shí)安裝系統(tǒng)更新���,避免被黑客攻擊��。
漏洞編號(hào):
CVE-2019-7304
漏洞名稱:
微軟域認(rèn)證漏洞
漏洞危害等級(jí):
高危
漏洞描述:
微軟Windows域認(rèn)證機(jī)制中存在漏洞���,攻擊者作為中間人, 在NTLM認(rèn)證時(shí)�, 可以將NTLM數(shù)據(jù)包中的驗(yàn)證標(biāo)志位修改為不進(jìn)行驗(yàn)證,從而繞過(guò)服務(wù)器端的驗(yàn)證功能,成功利用此漏洞的攻擊者可以獲得降級(jí)NTLM安全功能的能力�。
影響版本:
Windows 10 for 32-bit Systems
Windows 10 for x64-based Systems
Windows 10 Version 1607 for 32-bit Systems
Windows 10 Version 1607 for x64-based Systems
Windows 10 Version 1703 for 32-bit Systems
Windows 10 Version 1703 for x64-based Systems
Windows 10 Version 1709 for 32-bit Systems
Windows 10 Version 1709 for ARM64-based Systems
Windows 10 Version 1709 for x64-based Systems
Windows 10 Version 1803 for 32-bit Systems
Windows 10 Version 1803 for ARM64-based Systems
Windows 10 Version 1803 for x64-based Systems
Windows 10 Version 1809 for 32-bit Systems
Windows 10 Version 1809 for ARM64-based Systems
Windows 10 Version 1809 for x64-based Systems
Windows 10 Version 1903 for 32-bit Systems
Windows 10 Version 1903 for ARM64-based Systems
Windows 10 Version 1903 for x64-based Systems
Windows 7 for 32-bit Systems Service Pack 1
Windows 7 for x64-based Systems Service Pack 1
Windows 8.1 for 32-bit systems
Windows 8.1 for x64-based systems
Windows RT 8.1
Windows Server 2008 for 32-bit Systems Service Pack 2
Windows Server 2008 for 32-bit Systems Service Pack 2 (Server Core installation)
Windows Server 2008 for Itanium-Based Systems Service Pack 2
Windows Server 2008 for x64-based Systems Service Pack 2
Windows Server 2008 for x64-based Systems Service Pack 2 (Server Core installation)
Windows Server 2008 R2 for Itanium-Based Systems Service Pack 1
Windows Server 2008 R2 for x64-based Systems Service Pack 1
Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation)
Windows Server 2012
Windows Server 2012 (Server Core installation)
Windows Server 2012 R2
Windows Server 2012 R2 (Server Core installation)
Windows Server 2016
Windows Server 2016 (Server Core installation)
Windows Server 2019
Windows Server 2019 (Server Core installation)
Windows Server, version 1803 (Server Core Installation)
Windows Server, version 1903 (Server Core installation)
修復(fù)方案:
1. 執(zhí)行修補(bǔ)程序:確保為工作站和服務(wù)器打上了所需的補(bǔ)丁,要注意�,單獨(dú)的補(bǔ)丁是不夠的���,公司還需要進(jìn)行配置更改���,以便得到完全的保護(hù)�。
2. 配置更改:
a) 強(qiáng)制SMB簽名:為了防止攻擊者發(fā)起更簡(jiǎn)單的NTLM RELAY攻擊�,請(qǐng)務(wù)必在網(wǎng)絡(luò)中的所有計(jì)算機(jī)上啟用 SMB 簽名��。
b) 禁用NTLMv1:該版本相當(dāng)不安全����,建議通過(guò)適當(dāng)?shù)慕M策略來(lái)完全禁用��。
c) 強(qiáng)制LDAP/S簽名:為了防止LDAP中的NTLM RELAY攻擊,在域控制器上強(qiáng)制LDAP簽名和LDAPS通道綁定���。
d) 強(qiáng)制實(shí)施EPA:為了防止NTLM在web服務(wù)器上被黑客用來(lái)發(fā)動(dòng)中繼攻擊�,強(qiáng)制所有web服務(wù)器(OWA、ADFS)只接受EPA的請(qǐng)求���。
e) 減少NTLM的使用:因?yàn)榧幢悴捎昧送暾陌踩渲茫琋TLM 也會(huì)比 Kerberos 帶來(lái)更大的安全隱患��,建議在不必要的環(huán)境中徹底棄用�����。
參考鏈接:
https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-1040
北京金山云網(wǎng)絡(luò)技術(shù)有限公司
2019/06/12