Netwrix Account Lockout Examiner 4.1 Disclosure Vulnerability

Netwrix Account Lockout Examiner (ALE) (versions earlier than 5.1) allows an unauthenticated, remote adversary to trigger a connection to an attacker-controlled system and capture the NTLMv1/v2 challenge-response of an account with domain administrator privileges. The domain administrator account would already be configured with the product as required for installation. An adversary can exploit this by generating a single Kerberos Pre-Authentication Failed (Event ID 4771) event on a domain controller.

 

 

Credit

The vulnerability was discovered in the wild by Robert Surace and Daniel Min, Optiv Security Consultants, while performing a security assessment. Upon identification of CVE-2020-15931, Optiv immediately contacted Netwrix to disclose the identified flaw.

 

 

About Netwrix Account Lockout Examiner

Netwrix Account Lockout Examiner is software that monitors domain controllers for security events that identify bad authentication attempts and account lockouts. The product conducts an audit on offending hosts to discover the root cause of the account lockouts. When an examination is performed on Windows systems, the service account configured with Netwrix ALE attempts authentication against the hosts if the calling computer IP address is present within the monitored Event ID. If the service account authenticates successfully, the product runs checks on the system for the cause of the lockout, such as saved stale credentials.

 

To collect the necessary Event IDs for the examination, Netwrix recommends the following GPO Audit Policy configurations in its “Netwrix Account Lockout Examiner Administrator’s Guide version 4.1”:

 

Netwrix 1

Figure 1: “Audit Account Logon Events” Configuration in GPO Object Editor

 

 

Additionally, Netwrix’s setup guide requires a Domain Admin Service Account to be configured within the product. These high privileges are needed to read security events from the monitored domain controllers and to perform successful authentication against domain computers for auditing.

 

Netwrix 2

Figure 2: Service Account Configuration

 

 

Netwrix 3

Figure 3: Service Account Configuration in Installation

 

 

Product Affected

The following version was assessed and vulnerable to the exploit:

 

  • Netwrix Account Lockout Examiner Version 4.1

 

Netwrix released version 5.1 on July 24, 2020, effectively remediating the identified issue.

 

 

Vulnerability Overview

A domain-level credential disclosure vulnerability was identified on the affected version of the Netwrix Account Lockout Examiner. This vulnerability allows an unauthenticated, remote adversary to trigger the Netwrix ALE to force the authentication to an attacker-controlled system, which results in the disclosure of NTLMv1/v2 challenge-responses from the domain administrator-level Service Account that was configured with the product. To this end, an adversary could simply generate the Event ID 4771 (Kerberos Pre-Authentication Failed) on the target domain controller(s). This event is normally generated when the Key Distribution Center (“KDC”) fails to issue a Kerberos Ticket Granting Ticket (“TGT”) due to the wrong password provided for a valid account. (*Note: This event will not be generated if the “Do not require Kerberos preauthentication” option is set for the account.) In addition, other authentication methods and protocols were tested for the vulnerability. However, a Kerberos pre-authentication failure (Event ID 4771) was the only method found to trigger authentication.

 

Once the Netwrix Account Lockout Examiner service detects the Event ID 4771 on the domain controller(s), it automatically attempts to authenticate to the host that caused the bad authentication over the SMB service. However, when authenticating to the host, the Netwrix Account Lockout Examiner does not check whether the host is a domain-joined computer or not, resulting in the disclosure of the NTLMv1/v2 challenge-response protocols of the Netwrix service account.

 

Netwrix 4

Figure 4: Credential Disclosure Vulnerability Exploitation

 

 

A number of attacks can be carried out at will when leveraging this vulnerability.

 

  • Perform offline password recovery techniques to recover the cleartext credential
  • Relay the authentication to another host that has SMB-signing disabled

 

 

Example Attack Scenario

 

Requirements


The attacker needs at least one (1) valid username (a valid password is NOT required), the IP address of the target domain controller, and a Fully Qualified Domain Name (“FQDN”) (aka an absolute domain name). Additionally, the attacker must be located on the same routable network with the domain controller(s) as well as the server running the Netwrix Account Lockout Examiner application.

 

Lab Environment Setup
Target FQDN bosslab.com
Target DC IP 10.10.0.2 (Windows 2012 R2)
Attacker’s IP 10.10.0.10 (Kali Linux)
Target Domain User b0ss1
Netwrix Service Account Administrator (Member of the “Domain Admins” group)

 

Attack Process


Optiv created a simple Proof-of-Concept exploit script. The source code of the PoC script can be found on Github. This script will:

 

  1. Generate an Event ID 4771 on the target domain controller by performing an authentication attempt over the Kerberos protocol with the invalid password.
  2. Start an SMB server on the attacker’s system. (Impacket’s smbserver.py is in use)

 

Netwrix 5

Figure 5: CVE-2020-15931 PoC Script

 

 

Netwrix 6

Figure 6: Executing the CVE-2020-15931 PoC Script

 

 

On the Domain Controller (10.10.0.2) that the attacker attempted authentication against, the Event ID 4771 (“Kerberos pre-authentication failed”) was indeed created.

 

Netwrix 8

Figure 7: Windows Event Log – Target Domain Controller (10.10.0.2)

 

 

Within the Event ID 4771, Netwrix Account Lockout Examiner will know the source IP address of the bad authentication attempt as the attacker’s system IP (10.10.0.10).

 

Netwrix 9

Figure 8: Event 4771 Details

 

 

A few seconds later, the Netwrix service account with domain admin privileges authenticates to the attacker’s SMB server and its NTLMv2 challenge-response hash is captured.

 

Netwrix 7

Figure 9: Netwrix Service Account Credential Disclosure

 

 

With this attack scenario, attackers may:

 

  • Take the captured NTLMv1/v2 hash to conduct offline password cracking in an attempt to recover the cleartext password of the Netwrix service account.
  • Relay the NTLMv1/v2 authentication challenge-response protocols to other Windows hosts on the network that are not configured with SMB-signing required to gain command execution access or dump the stored credentials in their local registry hives, such as SAM or LSA.

 

 

Mitigations

Organizations should replace the vulnerable 4.1 version with the latest version of Netwrix Account Lockout Examiner 5.1.

 

For those companies still using the 4.1 version, a strong and complex password for the Netwrix service account should be applied, making it more resilient to an offline password recovery attack. Moreover, to prevent the NTLMv1/v2 relay attack, the SMB-signing should be configured to all Windows systems wherever possible.

 

 

Vulnerability Disclosure Timeline

  • June 09, 2020 – Vulnerability discovered by Optiv
  • June 15, 2020 – Disclosed by Optiv to vendor
  • July 14, 2020 – Vendor acknowledged the issue and agreed to release the fixed version
  • July 23, 2020 – Disclosed to CNA (MITRE Corporation)
  • July 24, 2020 – Vendor released the fixed version of the Netwrix Account Lockout Examiner 5.1
  • July 24, 2020 – CVE-2020-15931 assigned by CNA (MITRE Corporation)
  • August 13, 2020 – Disclosed to the public

 

References


Event ID 4771
Impacket smbserver.py
Gokrb5 Client
CVE-2020-15931

Daniel Min
Threat Management Technical Manager | Optiv
Daniel Min is a Technical Manager in Optiv’s Threat Management practice with a concentration on various simulated security assessments. Daniel is a Subject Matter Expert (SME) in cybersecurity assessments including breach simulations, perimeter and internal penetration testing, web application and cloud security testing. He has a strong passion for security vulnerability researching, exploit development and tool automations.
Robert Surace
Security Consultant | Optiv
Robert Surace is a security consultant in Optiv’s Threat Management practice with a concentration on network, web application and wireless penetration testing, threat simulations as well as social engineering assessments. He has over eleven years’ experience with a background in enterprise network engineering, security and design. The skills he developed on the defensive side of security gives him a unique perspective when approaching offensive security assessments.