Picture this: a feature from a security appliance that willingly dispatches its password hashes to any device on the network. That is precisely what WatchGuard's SSO does under certain circumstances. Does a bad feature warrant filing a CVE? I'm not sure.
In GuardLapse, there are two main exploitation routes:
1. Cracking the Password Hash
Malicious Malory can set up a rogue SMB server. Instead of working as expected, this server accepts authentication requests and grabs the password hash.
If she cracks the password hash successfully, she gains access to whatever the WatchGuard AD account can access.
Even with ZERO privileges assigned to the WatchGuard AD account, authenticated access to the domain in AD environments exposes many attack avenues - Kerberoasting, user enumeration for password spraying, BloodHound recon, and more.
2. SMB Relaying
If other domain PCs don’t require SMB signing, she can directly relay the authentication requests to access targeted hosts, eliminating the need to crack the password hash! (This depends on the AD account having admin privileges on targeted hosts).
To show the impact, in my recent engagement, we transitioned from an unauthenticated device on the network to Domain Admin using this issue. We relayed WatchGuard authentication requests to get an initial foothold on several devices. We then exploited other vulnerabilities to secure Domain Admin privileges.
WatchGuard’s Response
When I contacted WatchGuard about the behaviour I observed, they responded promptly and helpfully.
They pointed me to the documentation about WatchGuard’s Clientless AD SSO methods, which they thought explained what I saw. When I asked about their plans to retire or rework this feature, WatchGuard said they might retire AD Mode but would keep the Event Log Monitor.
They also said they were exploring options to enhance the visibility of security risks associated with Clientless SSO based on my report.
Action
If you use a WatchGuard firewall and rely on clientless SSO, my current, unvalidated recommendation is:
Switch off AD mode and rely on the SSO Client.
Remove the Event Log Monitor if you’ve installed it.
NOTE: I haven’t validated this fix because I don’t own a WatchGuard firewall. If you want to collaborate to validate this fix, please get in touch!
I’ve also asked WatchGuard for their remediation advice given their customers’ current risk. Once they reply, I’ll update this post with their guidance.
FROM THE ARTICLE:
Exploitation and Impact
In GuardLapse, there are two main exploitation routes:
1. Cracking the Password Hash
Malicious Malory can set up a rogue SMB server. Instead of working as expected, this server accepts authentication requests and grabs the password hash.
If she cracks the password hash successfully, she gains access to whatever the WatchGuard AD account can access.
Even with ZERO privileges assigned to the WatchGuard AD account, authenticated access to the domain in AD environments exposes many attack avenues - Kerberoasting, user enumeration for password spraying, BloodHound recon, and more.
2. SMB Relaying
If other domain PCs don’t require SMB signing, she can directly relay the authentication requests to access targeted hosts, eliminating the need to crack the password hash! (This depends on the AD account having admin privileges on targeted hosts).
To show the impact, in my recent engagement, we transitioned from an unauthenticated device on the network to Domain Admin using this issue. We relayed WatchGuard authentication requests to get an initial foothold on several devices. We then exploited other vulnerabilities to secure Domain Admin privileges.
WatchGuard’s Response
When I contacted WatchGuard about the behaviour I observed, they responded promptly and helpfully.
They pointed me to the documentation about WatchGuard’s Clientless AD SSO methods, which they thought explained what I saw. When I asked about their plans to retire or rework this feature, WatchGuard said they might retire AD Mode but would keep the Event Log Monitor.
They also said they were exploring options to enhance the visibility of security risks associated with Clientless SSO based on my report.
Action
If you use a WatchGuard firewall and rely on clientless SSO, my current, unvalidated recommendation is:
Switch off AD mode and rely on the SSO Client. Remove the Event Log Monitor if you’ve installed it. NOTE: I haven’t validated this fix because I don’t own a WatchGuard firewall. If you want to collaborate to validate this fix, please get in touch!
I’ve also asked WatchGuard for their remediation advice given their customers’ current risk. Once they reply, I’ll update this post with their guidance.