CVE-2019-1166
published 2019-10-10CVE-2019-1166: A tampering vulnerability exists in Microsoft Windows when a man-in-the-middle attacker is able to successfully bypass the NTLM MIC (Message Integrity Check)…
PriorityP347medium5.9CVSS 3.1
AVNACHPRNUINSUCNIHAN
EPSS
61.68%
99.1th percentile
A tampering vulnerability exists in Microsoft Windows when a man-in-the-middle attacker is able to successfully bypass the NTLM MIC (Message Integrity Check) protection, aka 'Windows NTLM Tampering Vulnerability'.
Affected
66 ranges· showing 25
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| microsoft | windows | — | — |
| microsoft | windows | — | — |
| microsoft | windows | — | — |
| microsoft | windows | — | — |
| microsoft | windows | — | — |
| microsoft | windows | — | — |
| microsoft | windows | — | — |
| microsoft | windows | — | — |
| microsoft | windows | — | — |
| microsoft | windows | — | — |
| microsoft | windows | — | — |
| microsoft | windows | — | — |
| microsoft | windows | — | — |
| microsoft | windows | — | — |
| microsoft | windows | — | — |
| microsoft | windows | — | — |
| microsoft | windows | — | — |
| microsoft | windows | — | — |
| microsoft | windows | — | — |
| microsoft | windows | — | — |
| microsoft | windows_10 | — | — |
| microsoft | windows_10 | — | — |
| microsoft | windows_10 | — | — |
| microsoft | windows_10 | — | — |
| microsoft | windows_10 | — | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Detect NTLM authentication exchanges where the MIC (Message Integrity Check) field has been tampered with — specifically, monitor for NTLM AUTHENTICATE messages where the MIC is zeroed out or modified while the MIC flag in NegotiateFlags remains set, which is the mechanism used to bypass MIC protection. ↗
- →Monitor for man-in-the-middle conditions on the network where NTLM exchanges are being intercepted and relayed, particularly targeting the MIC bypass to downgrade NTLM security features. ↗
- ·The vulnerability is server-side; the fix hardens NTLM MIC protection on the server. Unpatched servers remain vulnerable to NTLM relay/downgrade attacks even if clients are patched. ↗
- ·Exploitation allows an attacker to downgrade NTLM security features, which can facilitate further attacks such as NTLM relay. Ensure NTLM signing and EPA (Extended Protection for Authentication) are enforced where possible. ↗
CVSS provenance
nvdv3.15.9MEDIUMCVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N
nvdv2.04.3MEDIUMAV:N/AC:M/Au:N/C:N/I:P/A:N
vendor_msrc5.9MEDIUM
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-6576-35f2-4q5m: A tampering vulnerability exists in Microsoft Windows when a man-in-the-middle attacker is able to successfully bypass the NTLM MIC (Message Integrity
ghsa_unreviewed·2022-05-24
CVE-2019-1166 [MEDIUM] GHSA-6576-35f2-4q5m: A tampering vulnerability exists in Microsoft Windows when a man-in-the-middle attacker is able to successfully bypass the NTLM MIC (Message Integrity
A tampering vulnerability exists in Microsoft Windows when a man-in-the-middle attacker is able to successfully bypass the NTLM MIC (Message Integrity Check) protection, aka 'Windows NTLM Tampering Vulnerability'.
Microsoft
Windows NTLM Tampering Vulnerability
vendor_msrc·2019-10-08·CVSS 5.9
CVE-2019-1166 [MEDIUM] Windows NTLM Tampering Vulnerability
Windows NTLM Tampering Vulnerability
Description: A tampering vulnerability exists in Microsoft Windows when a man-in-the-middle attacker is able to successfully bypass the NTLM MIC (Message Integrity Check) protection. An attacker who successfully exploited this vulnerability could gain the ability to downgrade NTLM security features.
To exploit this vulnerability, the attacker would need to tamper with the NTLM exchange. The attacker could then modify flags of the NTLM packet without invalidating the signature.
The update addresses the vulnerability by hardening NTLM MIC protection on the server-side.
Windows NTLM: Windows NTLM
Microsoft: Microsoft
Customer Action Required: Yes
Impact: Tampering
Exploit Status: Publicly Disclosed:No;Exploited:No;Latest Software Release:Exploitation
No detection rules found.
No public exploits indexed.
Trendmicro
Short October Patch Tuesday: 9 Critical Fixes Featured
blogs_trendmicro·2019-10-09·CVSS 8.8
[HIGH] Short October Patch Tuesday: 9 Critical Fixes Featured
Exploits & Vulnerabilities
# Short October Patch Tuesday: 9 Critical Fixes Featured
This month's update includes only 59 fixes, but addresses significant issues. The nine Critical items were for various IE and Edge flaws, and one for a Remote Desktop Client gap. The rest of the 50 were ranked important, including server concerns.
By: Trend Micro
2019/10/09
Read time: ( words)
Save to Folio
October’s Patch Tuesday is relatively modest, with Microsoft releasing a total of 59 patches. However, this shorter list still warrants attention. Nine of the 59 were still identified as Critical, while the remaining 50 were labeled Important. Most of the critical bulletins were for various Internet Explorer and Microsoft Edge vulnerabilities, with one covering a Remote Desktop Client vulnerability
Trendmicro
Short October Patch Tuesday: 9 Critical Fixes Featured
blogs_trendmicro·2019-10-09·CVSS 8.8
[HIGH] Short October Patch Tuesday: 9 Critical Fixes Featured
# Short October Patch Tuesday: 9 Critical Fixes Featured
This month's update includes only 59 fixes, but addresses significant issues. The nine Critical items were for various IE and Edge flaws, and one for a Remote Desktop Client gap. The rest of the 50 were ranked important, including server concerns.
By: Trend Micro
Oct 09, 2019
Read time: ( words)
Save to Folio
October’s Patch Tuesday is relatively modest, with Microsoft releasing a total of 59 patches. However, this shorter list still warrants attention. Nine of the 59 were still identified as Critical, while the remaining 50 were labeled Important. Most of the critical bulletins were for various Internet Explorer and Microsoft Edge vulnerabilities, with one covering a Remote Desktop Client vulnerability. The Important bulletins
Talos
Microsoft Patch Tuesday — Oct. 2019: Vulnerability disclosures and Snort coverage
blogs_talos·2019-10-08·CVSS 6.4
[MEDIUM] Microsoft Patch Tuesday — Oct. 2019: Vulnerability disclosures and Snort coverage
By Jon Munshaw.
Microsoft released its monthly security update today, disclosing a variety of vulnerabilities in several of its products. The latest Patch Tuesday discloses 60 vulnerabilities, nine of which are considered "critical," with the rest being deemed "important."
This month’s security update covers security issues in a variety of Microsoft services and software, the Chakra Scripting Engine, the Windows operating system and the SharePoint software.
Talos also released a new set of SNORTⓇ rules that provide coverage for some of these vulnerabilities. For more, check out the Snort blog post here.
### Critical vulnerabilities Microsoft disclosed nine critical vulnerabilities this month, eight of which we will highlight below.
CVE-2019-1333 is a client-side remote execution vulne
Talos
Microsoft Patch Tuesday — Oct. 2019: Vulnerability disclosures and Snort coverage
blogs_talos·2019-10-08·CVSS 6.4
[MEDIUM] Microsoft Patch Tuesday — Oct. 2019: Vulnerability disclosures and Snort coverage
## Microsoft Patch Tuesday — Oct. 2019: Vulnerability disclosures and Snort coverage
By Jon Munshaw.
Microsoft released its monthly security update today, disclosing a variety of vulnerabilities in several of its products. The latest Patch Tuesday discloses 60 vulnerabilities, nine of which are considered "critical," with the rest being deemed "important."
This month’s security update covers security issues in a variety of Microsoft services and software, the Chakra Scripting Engine, the Windows operating system and the SharePoint software.
Talos also released a new set of SNORTⓇ rules that provide coverage for some of these vulnerabilities. For more, check out the Snort blog post here .
## Critical vulnerabilities Microsoft disclosed nine critical vulnerabilities this month, eight of
2019-10-10
Published