Skip to main content

Windows Password Hash Vulnerability Patched

A vulnerability in Microsoft Windows allows an attacker to steal Windows NTLM (a security protocol suite that provides network authentication) password hashes without interaction has recently been patched by Microsoft.
Threat ID:
CC-1739
Category:
Threat Severity:
Medium
Threat Vector:
Published:
31 October 2017 12:00 AM
Report a cyber attack: call 0300 303 5222 or email [email protected]

This content has been archived

This article no longer conforms to NHS Digital's standards for cyber alerts, and may contain outdated or inaccurate information. Use of this information contained in this page is at your own risk

Summary

A vulnerability in Microsoft Windows allows an attacker to steal Windows NTLM (a security protocol suite that provides network authentication) password hashes without interaction has recently been patched by Microsoft.

Threat details

An attacker would be able to target a user with specific conditions applied and a Shell Command File (SCF) would be designed to exploit the vulnerability. The conditions that have to be met on the targeted system must have publicly accessible shared folders with folders that aren’t password protected.

Once the attacker has access to an unprotected shared folder they will then add the SCF into that folder. This file will then execute and gather the targeted system’s NTLM password hash, which will be sent back to the attacker.

Remediation steps

Type Step

The patch was released in Microsoft's Patch Tuesday in October.

  • Apply the ADV170014 security advisory as this will disable NTLM for Windows 10 and Server 2016 only.

For other Windows versions that aren't patched:

  • Ensure strong NTLM passwords are used will make make cracking the hash difficult.
  • Ensure all folders that are available publicly are password protected.

Last edited: 17 February 2020 11:41 am