Home Insights Source Zero Netwrix Account Lockout Examiner 4.1 Disclosure Vulnerability August 13, 2020 Netwrix Account Lockout Examiner 4.1 Disclosure Vulnerability Netwrix Account Lockout Examiner (ALE) (versions earlier than 5.1) allows an unauthenticated, remote adversary to trigger a connection to an attacker-controlled system and capture the NTLMv1/v2 challenge-response of an account with domain administrator privileges. The domain administrator account would already be configured with the product as required for installation. An adversary can exploit this by generating a single Kerberos Pre-Authentication Failed (Event ID 4771) event on a domain controller. Credit The vulnerability was discovered in the wild by Robert Surace and Daniel Min, Optiv Security Consultants, while performing a security assessment. Upon identification of CVE-2020-15931, Optiv immediately contacted Netwrix to disclose the identified flaw. About Netwrix Account Lockout Examiner Netwrix Account Lockout Examiner is software that monitors domain controllers for security events that identify bad authentication attempts and account lockouts. The product conducts an audit on offending hosts to discover the root cause of the account lockouts. When an examination is performed on Windows systems, the service account configured with Netwrix ALE attempts authentication against the hosts if the calling computer IP address is present within the monitored Event ID. If the service account authenticates successfully, the product runs checks on the system for the cause of the lockout, such as saved stale credentials. To collect the necessary Event IDs for the examination, Netwrix recommends the following GPO Audit Policy configurations in its “Netwrix Account Lockout Examiner Administrator’s Guide version 4.1”: Figure 1: “Audit Account Logon Events” Configuration in GPO Object Editor Additionally, Netwrix’s setup guide requires a Domain Admin Service Account to be configured within the product. These high privileges are needed to read security events from the monitored domain controllers and to perform successful authentication against domain computers for auditing. Figure 2: Service Account Configuration Figure 3: Service Account Configuration in Installation Product Affected The following version was assessed and vulnerable to the exploit: Netwrix Account Lockout Examiner Version 4.1 Netwrix released version 5.1 on July 24, 2020, effectively remediating the identified issue. Vulnerability Overview A domain-level credential disclosure vulnerability was identified on the affected version of the Netwrix Account Lockout Examiner. This vulnerability allows an unauthenticated, remote adversary to trigger the Netwrix ALE to force the authentication to an attacker-controlled system, which results in the disclosure of NTLMv1/v2 challenge-responses from the domain administrator-level Service Account that was configured with the product. To this end, an adversary could simply generate the Event ID 4771 (Kerberos Pre-Authentication Failed) on the target domain controller(s). This event is normally generated when the Key Distribution Center (“KDC”) fails to issue a Kerberos Ticket Granting Ticket (“TGT”) due to the wrong password provided for a valid account. (*Note: This event will not be generated if the “Do not require Kerberos preauthentication” option is set for the account.) In addition, other authentication methods and protocols were tested for the vulnerability. However, a Kerberos pre-authentication failure (Event ID 4771) was the only method found to trigger authentication. Once the Netwrix Account Lockout Examiner service detects the Event ID 4771 on the domain controller(s), it automatically attempts to authenticate to the host that caused the bad authentication over the SMB service. However, when authenticating to the host, the Netwrix Account Lockout Examiner does not check whether the host is a domain-joined computer or not, resulting in the disclosure of the NTLMv1/v2 challenge-response protocols of the Netwrix service account. Figure 4: Credential Disclosure Vulnerability Exploitation A number of attacks can be carried out at will when leveraging this vulnerability. Perform offline password recovery techniques to recover the cleartext credential Relay the authentication to another host that has SMB-signing disabled Example Attack Scenario RequirementsThe attacker needs at least one (1) valid username (a valid password is NOT required), the IP address of the target domain controller, and a Fully Qualified Domain Name (“FQDN”) (aka an absolute domain name). Additionally, the attacker must be located on the same routable network with the domain controller(s) as well as the server running the Netwrix Account Lockout Examiner application. Lab Environment Setup Target FQDN bosslab.com Target DC IP 10.10.0.2 (Windows 2012 R2) Attacker’s IP 10.10.0.10 (Kali Linux) Target Domain User b0ss1 Netwrix Service Account Administrator (Member of the “Domain Admins” group) Attack ProcessOptiv created a simple Proof-of-Concept exploit script. The source code of the PoC script can be found on Github. This script will: Generate an Event ID 4771 on the target domain controller by performing an authentication attempt over the Kerberos protocol with the invalid password. Start an SMB server on the attacker’s system. (Impacket’s smbserver.py is in use) Figure 5: CVE-2020-15931 PoC Script Figure 6: Executing the CVE-2020-15931 PoC Script On the Domain Controller (10.10.0.2) that the attacker attempted authentication against, the Event ID 4771 (“Kerberos pre-authentication failed”) was indeed created. Figure 7: Windows Event Log – Target Domain Controller (10.10.0.2) Within the Event ID 4771, Netwrix Account Lockout Examiner will know the source IP address of the bad authentication attempt as the attacker’s system IP (10.10.0.10). Figure 8: Event 4771 Details A few seconds later, the Netwrix service account with domain admin privileges authenticates to the attacker’s SMB server and its NTLMv2 challenge-response hash is captured. Figure 9: Netwrix Service Account Credential Disclosure With this attack scenario, attackers may: Take the captured NTLMv1/v2 hash to conduct offline password cracking in an attempt to recover the cleartext password of the Netwrix service account. Relay the NTLMv1/v2 authentication challenge-response protocols to other Windows hosts on the network that are not configured with SMB-signing required to gain command execution access or dump the stored credentials in their local registry hives, such as SAM or LSA. Mitigations Organizations should replace the vulnerable 4.1 version with the latest version of Netwrix Account Lockout Examiner 5.1. For those companies still using the 4.1 version, a strong and complex password for the Netwrix service account should be applied, making it more resilient to an offline password recovery attack. Moreover, to prevent the NTLMv1/v2 relay attack, the SMB-signing should be configured to all Windows systems wherever possible. Vulnerability Disclosure Timeline June 09, 2020 – Vulnerability discovered by Optiv June 15, 2020 – Disclosed by Optiv to vendor July 14, 2020 – Vendor acknowledged the issue and agreed to release the fixed version July 23, 2020 – Disclosed to CNA (MITRE Corporation) July 24, 2020 – Vendor released the fixed version of the Netwrix Account Lockout Examiner 5.1 July 24, 2020 – CVE-2020-15931 assigned by CNA (MITRE Corporation) August 13, 2020 – Disclosed to the public References Event ID 4771Impacket smbserver.pyGokrb5 ClientCVE-2020-15931 By: Daniel Min Threat Management Technical Manager | Optiv Daniel Min is a Technical Manager in Optiv’s Threat Management practice with a concentration on various simulated security assessments. Daniel is a Subject Matter Expert (SME) in cybersecurity assessments including breach simulations, perimeter and internal penetration testing, web application and cloud security testing. He has a strong passion for security vulnerability researching, exploit development and tool automations. By: Robert Surace Security Consultant | Optiv Robert Surace is a security consultant in Optiv’s Threat Management practice with a concentration on network, web application and wireless penetration testing, threat simulations as well as social engineering assessments. He has over eleven years’ experience with a background in enterprise network engineering, security and design. The skills he developed on the defensive side of security gives him a unique perspective when approaching offensive security assessments. Share: Vulnerabilities Threat Red Team Source Zero Penetration Testing Copyright © 2021 Optiv Security Inc. All rights reserved. No license, express or implied, to any intellectual property or other content is granted or intended hereby. This blog is provided to you for information purposes only. While the information contained in this site has been obtained from sources believed to be reliable, Optiv disclaims all warranties as to the accuracy, completeness or adequacy of such information. Links to third party sites are provided for your convenience and do not constitute an endorsement by Optiv. These sites may not have the same privacy, security or accessibility standards. Complaints / questions should be directed to Legal@optiv.com RELATED INSIGHTS BLOG June 19, 2020 Digging Your Talons In – New Take On Password Guessing Talon automates a password guessing technique targeting Kerberos and LDAP within the Windows Active Directory environment. See Details Read more about Digging Your Talons In – New Take On Password Guessing BLOG April 25, 2019 ATT&CK Series: Credential Access Once initial access has been obtained, attackers usually need a way of getting into places that their initial foothold can't get to. This can be accom... See Details Read more about ATT&CK Series: Credential Access BLOG June 11, 2020 Azure API Management Tracing Helper This paper explores the Burp Suite extension for Azure API Management to automatically identify gateway misconfigurations and to display the tracing i... See Details Read more about Azure API Management Tracing Helper How Can We Help? Let us know what you need, and we will have an Optiv professional contact you shortly.