Every Solution You Can Imagine – and More
What cybersecurity solution do you need? From Zero Trust to ADR, IAM, risk/privacy, data protection, AppSec and threat, securing digital transformation, to resiliency and remediation, we can build the right program to help solve your challenges.
A Single Partner for Everything You Need
Optiv works with more than 400 world-class security technology partners. By putting you at the center of our unmatched ecosystem of people, products, partners and programs, we accelerate business progress like no other company can.
We Are Optiv
Greatness is every team working toward a common goal. Winning in spite of cyber threats and overcoming challenges in spite of them. It’s building for a future that only you can create or simply coming home in time for dinner.
However you define greatness, Optiv is in your corner. We manage cyber risk so you can secure your full potential.
Netwrix Account Lockout Examiner 4.1 Disclosure Vulnerability
Netwrix Account Lockout Examiner (ALE) (versions earlier than 5.1) allows an unauthenticated, remote adversary to trigger a connection to an attacker-controlled system and capture the NTLMv1/v2 challenge-response of an account with domain administrator privileges. The domain administrator account would already be configured with the product as required for installation. An adversary can exploit this by generating a single Kerberos Pre-Authentication Failed (Event ID 4771) event on a domain controller.
The vulnerability was discovered in the wild by Robert Surace and Daniel Min, Optiv Security Consultants, while performing a security assessment. Upon identification of CVE-2020-15931, Optiv immediately contacted Netwrix to disclose the identified flaw.
Netwrix Account Lockout Examiner is software that monitors domain controllers for security events that identify bad authentication attempts and account lockouts. The product conducts an audit on offending hosts to discover the root cause of the account lockouts. When an examination is performed on Windows systems, the service account configured with Netwrix ALE attempts authentication against the hosts if the calling computer IP address is present within the monitored Event ID. If the service account authenticates successfully, the product runs checks on the system for the cause of the lockout, such as saved stale credentials.
To collect the necessary Event IDs for the examination, Netwrix recommends the following GPO Audit Policy configurations in its “Netwrix Account Lockout Examiner Administrator’s Guide version 4.1”:
Figure 1: “Audit Account Logon Events” Configuration in GPO Object Editor
Additionally, Netwrix’s setup guide requires a Domain Admin Service Account to be configured within the product. These high privileges are needed to read security events from the monitored domain controllers and to perform successful authentication against domain computers for auditing.
Figure 2: Service Account Configuration
Figure 3: Service Account Configuration in Installation
The following version was assessed and vulnerable to the exploit:
Netwrix released version 5.1 on July 24, 2020, effectively remediating the identified issue.
A domain-level credential disclosure vulnerability was identified on the affected version of the Netwrix Account Lockout Examiner. This vulnerability allows an unauthenticated, remote adversary to trigger the Netwrix ALE to force the authentication to an attacker-controlled system, which results in the disclosure of NTLMv1/v2 challenge-responses from the domain administrator-level Service Account that was configured with the product. To this end, an adversary could simply generate the Event ID 4771 (Kerberos Pre-Authentication Failed) on the target domain controller(s). This event is normally generated when the Key Distribution Center (“KDC”) fails to issue a Kerberos Ticket Granting Ticket (“TGT”) due to the wrong password provided for a valid account. (*Note: This event will not be generated if the “Do not require Kerberos preauthentication” option is set for the account.) In addition, other authentication methods and protocols were tested for the vulnerability. However, a Kerberos pre-authentication failure (Event ID 4771) was the only method found to trigger authentication.
Once the Netwrix Account Lockout Examiner service detects the Event ID 4771 on the domain controller(s), it automatically attempts to authenticate to the host that caused the bad authentication over the SMB service. However, when authenticating to the host, the Netwrix Account Lockout Examiner does not check whether the host is a domain-joined computer or not, resulting in the disclosure of the NTLMv1/v2 challenge-response protocols of the Netwrix service account.
Figure 4: Credential Disclosure Vulnerability Exploitation
A number of attacks can be carried out at will when leveraging this vulnerability.
The attacker needs at least one (1) valid username (a valid password is NOT required), the IP address of the target domain controller, and a Fully Qualified Domain Name (“FQDN”) (aka an absolute domain name). Additionally, the attacker must be located on the same routable network with the domain controller(s) as well as the server running the Netwrix Account Lockout Examiner application.
Optiv created a simple Proof-of-Concept exploit script. The source code of the PoC script can be found on Github. This script will:
Figure 5: CVE-2020-15931 PoC Script
Figure 6: Executing the CVE-2020-15931 PoC Script
On the Domain Controller (10.10.0.2) that the attacker attempted authentication against, the Event ID 4771 (“Kerberos pre-authentication failed”) was indeed created.
Figure 7: Windows Event Log – Target Domain Controller (10.10.0.2)
Within the Event ID 4771, Netwrix Account Lockout Examiner will know the source IP address of the bad authentication attempt as the attacker’s system IP (10.10.0.10).
Figure 8: Event 4771 Details
A few seconds later, the Netwrix service account with domain admin privileges authenticates to the attacker’s SMB server and its NTLMv2 challenge-response hash is captured.
Figure 9: Netwrix Service Account Credential Disclosure
With this attack scenario, attackers may:
Organizations should replace the vulnerable 4.1 version with the latest version of Netwrix Account Lockout Examiner 5.1.
For those companies still using the 4.1 version, a strong and complex password for the Netwrix service account should be applied, making it more resilient to an offline password recovery attack. Moreover, to prevent the NTLMv1/v2 relay attack, the SMB-signing should be configured to all Windows systems wherever possible.
Event ID 4771Impacket smbserver.pyGokrb5 ClientCVE-2020-15931
Copyright © 2022 Optiv Security Inc. All rights reserved.
No license, express or implied, to any intellectual property or other content is granted or intended hereby.
This blog is provided to you for information purposes only. While the information contained in this site has been obtained from sources believed to be reliable, Optiv disclaims all warranties as to the accuracy, completeness or adequacy of such information.
Links to third party sites are provided for your convenience and do not constitute an endorsement by Optiv. These sites may not have the same privacy, security or accessibility standards.
Complaints / questions should be directed to Legal@optiv.com
June 19, 2020
Talon automates a password guessing technique targeting Kerberos and LDAP within the Windows Active Directory environment.
April 25, 2019
Once initial access has been obtained, attackers usually need a way of getting into places that their initial foothold can't get to. This can be....
June 11, 2020
This paper explores the Burp Suite extension for Azure API Management to automatically identify gateway misconfigurations and to display the tracing....
Let us know what you need, and we will have an Optiv professional contact you shortly.