Netwrix Account Lockout Examiner 4.1 Disclosure Vulnerability
Netwrix Account Lockout Examiner 4.1 Disclosure Vulnerability
Netwrix Account Lockout Examiner (ALE) (versions earlier than 5.1) allows an unauthenticated, remote adversary to trigger a connection to an attacker-controlled system and capture the NTLMv1/v2 challenge-response of an account with domain administrator privileges. The domain administrator account would already be configured with the product as required for installation. An adversary can exploit this by generating a single Kerberos Pre-Authentication Failed (Event ID 4771) event on a domain controller.
The vulnerability was discovered in the wild by Robert Surace and Daniel Min, Optiv Security Consultants, while performing a security assessment. Upon identification of CVE-2020-15931, Optiv immediately contacted Netwrix to disclose the identified flaw.
About Netwrix Account Lockout Examiner
Netwrix Account Lockout Examiner is software that monitors domain controllers for security events that identify bad authentication attempts and account lockouts. The product conducts an audit on offending hosts to discover the root cause of the account lockouts. When an examination is performed on Windows systems, the service account configured with Netwrix ALE attempts authentication against the hosts if the calling computer IP address is present within the monitored Event ID. If the service account authenticates successfully, the product runs checks on the system for the cause of the lockout, such as saved stale credentials.
To collect the necessary Event IDs for the examination, Netwrix recommends the following GPO Audit Policy configurations in its “Netwrix Account Lockout Examiner Administrator’s Guide version 4.1”:
Figure 1: “Audit Account Logon Events” Configuration in GPO Object Editor
Additionally, Netwrix’s setup guide requires a Domain Admin Service Account to be configured within the product. These high privileges are needed to read security events from the monitored domain controllers and to perform successful authentication against domain computers for auditing.
Figure 2: Service Account Configuration
Figure 3: Service Account Configuration in Installation
The following version was assessed and vulnerable to the exploit:
- Netwrix Account Lockout Examiner Version 4.1
Netwrix released version 5.1 on July 24, 2020, effectively remediating the identified issue.
A domain-level credential disclosure vulnerability was identified on the affected version of the Netwrix Account Lockout Examiner. This vulnerability allows an unauthenticated, remote adversary to trigger the Netwrix ALE to force the authentication to an attacker-controlled system, which results in the disclosure of NTLMv1/v2 challenge-responses from the domain administrator-level Service Account that was configured with the product. To this end, an adversary could simply generate the Event ID 4771 (Kerberos Pre-Authentication Failed) on the target domain controller(s). This event is normally generated when the Key Distribution Center (“KDC”) fails to issue a Kerberos Ticket Granting Ticket (“TGT”) due to the wrong password provided for a valid account. (*Note: This event will not be generated if the “Do not require Kerberos preauthentication” option is set for the account.) In addition, other authentication methods and protocols were tested for the vulnerability. However, a Kerberos pre-authentication failure (Event ID 4771) was the only method found to trigger authentication.
Once the Netwrix Account Lockout Examiner service detects the Event ID 4771 on the domain controller(s), it automatically attempts to authenticate to the host that caused the bad authentication over the SMB service. However, when authenticating to the host, the Netwrix Account Lockout Examiner does not check whether the host is a domain-joined computer or not, resulting in the disclosure of the NTLMv1/v2 challenge-response protocols of the Netwrix service account.
Figure 4: Credential Disclosure Vulnerability Exploitation
A number of attacks can be carried out at will when leveraging this vulnerability.
- Perform offline password recovery techniques to recover the cleartext credential
- Relay the authentication to another host that has SMB-signing disabled
Example Attack Scenario
The attacker needs at least one (1) valid username (a valid password is NOT required), the IP address of the target domain controller, and a Fully Qualified Domain Name (“FQDN”) (aka an absolute domain name). Additionally, the attacker must be located on the same routable network with the domain controller(s) as well as the server running the Netwrix Account Lockout Examiner application.
|Lab Environment Setup|
|Target DC IP||10.10.0.2 (Windows 2012 R2)|
|Attacker’s IP||10.10.0.10 (Kali Linux)|
|Target Domain User||b0ss1|
|Netwrix Service Account||Administrator (Member of the “Domain Admins” group)|
Optiv created a simple Proof-of-Concept exploit script. The source code of the PoC script can be found on Github. This script will:
- Generate an Event ID 4771 on the target domain controller by performing an authentication attempt over the Kerberos protocol with the invalid password.
- Start an SMB server on the attacker’s system. (Impacket’s smbserver.py is in use)
Figure 5: CVE-2020-15931 PoC Script
Figure 6: Executing the CVE-2020-15931 PoC Script
On the Domain Controller (10.10.0.2) that the attacker attempted authentication against, the Event ID 4771 (“Kerberos pre-authentication failed”) was indeed created.
Figure 7: Windows Event Log – Target Domain Controller (10.10.0.2)
Within the Event ID 4771, Netwrix Account Lockout Examiner will know the source IP address of the bad authentication attempt as the attacker’s system IP (10.10.0.10).
Figure 8: Event 4771 Details
A few seconds later, the Netwrix service account with domain admin privileges authenticates to the attacker’s SMB server and its NTLMv2 challenge-response hash is captured.
Figure 9: Netwrix Service Account Credential Disclosure
With this attack scenario, attackers may:
- Take the captured NTLMv1/v2 hash to conduct offline password cracking in an attempt to recover the cleartext password of the Netwrix service account.
- Relay the NTLMv1/v2 authentication challenge-response protocols to other Windows hosts on the network that are not configured with SMB-signing required to gain command execution access or dump the stored credentials in their local registry hives, such as SAM or LSA.
Organizations should replace the vulnerable 4.1 version with the latest version of Netwrix Account Lockout Examiner 5.1.
For those companies still using the 4.1 version, a strong and complex password for the Netwrix service account should be applied, making it more resilient to an offline password recovery attack. Moreover, to prevent the NTLMv1/v2 relay attack, the SMB-signing should be configured to all Windows systems wherever possible.
Vulnerability Disclosure Timeline
- June 09, 2020 – Vulnerability discovered by Optiv
- June 15, 2020 – Disclosed by Optiv to vendor
- July 14, 2020 – Vendor acknowledged the issue and agreed to release the fixed version
- July 23, 2020 – Disclosed to CNA (MITRE Corporation)
- July 24, 2020 – Vendor released the fixed version of the Netwrix Account Lockout Examiner 5.1
- July 24, 2020 – CVE-2020-15931 assigned by CNA (MITRE Corporation)
- August 13, 2020 – Disclosed to the public
Copyright © 2020 Optiv Security Inc. All rights reserved.
No license, express or implied, to any intellectual property or other content is granted or intended hereby.
This blog is provided to you for information purposes only. While the information contained in this site has been obtained from sources believed to be reliable, Optiv disclaims all warranties as to the accuracy, completeness or adequacy of such information.
Links to third party sites are provided for your convenience and do not constitute an endorsement by Optiv. These sites may not have the same privacy, security or accessibility standards.
Complaints / questions should be directed to Legal@optiv.com