A Critical Vulnerability in the authentication of NTLM Credentials on LoadMaster may enable a user access attempt with an incorrect password to be granted access.
The handling of NTLM user authentication in LoadMaster Edge Security Pack (ESP) may enable a user with incorrect credentials be successfully authenticated by the LoadMaster and enable this user gain access to resources protected by the LoadMaster ESP.
For applications that are made up of a number of services such as Microsoft Exchange, only those services configured to use NTLM as the Client-Side Authentication method on LoadMaster (a common example being Exchange-MAPI) are affected. It is likely full application access would have additional authentication requirements that are either set to “Delegate to the Server” or using a protocol other than NTLM on the LoadMaster which are not affected.
LoadMasters with Firmware Versions >=7.2.53 and Firmware Version 18.104.22.168: Any LoadMaster with NTLM Authentication in use without the 'NTLM Proxy' mode enabled on LoadMaster.
LMOS <7.2.53 (excluding 22.214.171.124 LTS): Any LoadMaster with NTLM Client-Side Authentication configured in ESP.
LoadMasters not utilizing Edge Security Pack (ESP)
LoadMasters utilizing ESP, not using NTLM as an ESP Client-Side Authentication Protocol
LoadMasters with NTLM Proxy Mode enabled
In order to mitigate this vulnerability ‘NTLM-Proxy’ mode should be enabled on the LoadMaster. NTLM-Proxy Mode option is available from LMOS Firmware 7.2.53 (General Availability Release) or 126.96.36.199 (Long Term Stable Release). To enable ‘NTLM-Proxy’ Mode please follow the directions outlined here.
NTLM-Proxy mode uses an alternative mechanism for user credential validation by proxying an NTLM Handshake to the chosen Real Server rather than utilizing an LDAP Endpoint. As a result, you may need to make modifications to your Application Server configuration to support NTLM. Group authorization (if used) is done securely via the LDAP Endpoint. Where Kerberos Constrained Delegation (KCD) is used as the Server-Side Authentication protocol, once NTLM validation is completed via the Real Server, all subsequent LoadMaster to Real Server Traffic will utilize KCD for efficient secure session handling.
If the recommendation is not possible, one of the following alternative measures should be taken.
- Use an alternative Client-Side Authentication Protocol such as Basic Authentication, Form Based authentication, Client Certificates, SAML or OIDC
- Use ESP ‘Delegate to Server’ option which will utilize the user authentication configured on the Real Server.
- Disable ESP for applications currently using Client Authentication NTLM.