• 126 Posts
  • 11 Comments
Joined 1 year ago
cake
Cake day: July 6th, 2023

help-circle

























  • FROM THE ARTICLE:

    Exploitation and Impact

    In GuardLapse, there are two main exploitation routes:

    1. Cracking the Password Hash

    Malicious Malory can set up a rogue SMB server. Instead of working as expected, this server accepts authentication requests and grabs the password hash.

    If she cracks the password hash successfully, she gains access to whatever the WatchGuard AD account can access.

    Even with ZERO privileges assigned to the WatchGuard AD account, authenticated access to the domain in AD environments exposes many attack avenues - Kerberoasting, user enumeration for password spraying, BloodHound recon, and more.

    2. SMB Relaying

    If other domain PCs don’t require SMB signing, she can directly relay the authentication requests to access targeted hosts, eliminating the need to crack the password hash! (This depends on the AD account having admin privileges on targeted hosts).

    To show the impact, in my recent engagement, we transitioned from an unauthenticated device on the network to Domain Admin using this issue. We relayed WatchGuard authentication requests to get an initial foothold on several devices. We then exploited other vulnerabilities to secure Domain Admin privileges.

    WatchGuard’s Response

    When I contacted WatchGuard about the behaviour I observed, they responded promptly and helpfully.

    They pointed me to the documentation about WatchGuard’s Clientless AD SSO methods, which they thought explained what I saw. When I asked about their plans to retire or rework this feature, WatchGuard said they might retire AD Mode but would keep the Event Log Monitor.

    They also said they were exploring options to enhance the visibility of security risks associated with Clientless SSO based on my report.

    Action

    If you use a WatchGuard firewall and rely on clientless SSO, my current, unvalidated recommendation is:

    Switch off AD mode and rely on the SSO Client. Remove the Event Log Monitor if you’ve installed it. NOTE: I haven’t validated this fix because I don’t own a WatchGuard firewall. If you want to collaborate to validate this fix, please get in touch!

    I’ve also asked WatchGuard for their remediation advice given their customers’ current risk. Once they reply, I’ll update this post with their guidance.