Security researchers described the security feature bypass vulnerability in Windows NT LAN Manager (NTLM). A vulnerability (CVE-2021-1678) was discovered in a component of the network stack and could be exploited remotely. According to researchers at Crowdstrike, an attacker could exploit the problem to achieve remote code execution via NTLM relay.

Successful exploitation of the vulnerability also allows an attacker to remotely run code on a Windows machine or move on the network to critical systems, such as servers hosting domain controllers by reusing NTLM credentials.

Specifically, the researchers found that IRemoteWinspool (an RPC interface for remote printer spooler management) could be used to execute a series of RPC operations and write arbitrary files on a computer using an intercepted NTLM session.

Microsoft said it addressed the vulnerability by "increasing the RPC authentication level and introducing a new policy and registry key to allow customers to disable or enable Enforcement mode on the server-side to increase the authentication level."

Source: securitylab.ru