Yesterday at Black Hat USA, researchers from UK-based Context Information Security demonstrated how Windows Update can be abused for internal attacks on corporate networks by exploiting insecurely configured enterprise implementations of Windows Server Update Services (WSUS).
WSUS allows admins to co-ordinate software updates to servers and desktops throughout their organisations, but the Microsoft default install for WSUS is to use HTTP and not SSL-encrypted HTTPS delivery. By exploiting this weakness, the Context researchers were able to use low-privileged access rights to set up fake updates that installed automatically. These updates could potentially download a Trojan or other malware and be used to set up admin access with a false user name and password. Any Windows computer that fetches updates from a WSUS server using a non-HTTPS URL is vulnerable.
“It’s a simple case of a common configuration problem,” says Paul Stone, principal consultant at Context and one of the presenters at Black Hat yesterday. “While Microsoft does not enforce SSL for WSUS, it presents the option and most companies will go through this extra stage to use HTTPS. But for those that don’t it presents an opportunity for an administrator to compromise complete corporate networks in one go.”
Organisations can quickly find out if they are vulnerable by checking the WSUS group policy settings, while it is possible to check if an individual machine is incorrectly configured by looking at the appropriate registry keys. If the URL does not start with https, then the computer is vulnerable to the injection attack.
While following Microsoft’s guidelines to use SSL for WSUS will protect against the described attacks, Context also suggests that there are further ‘defence in depth’ mitigations that could be implemented by Microsoft to provide further protection.
“Using a separate signing certificate for Windows Update would increase protection and the update metadata itself could be signed by Microsoft to prevent tampering,” says Alex Chapman principal consultant at Context and joint presenter at Black Hat. “Signing the tags that contain the main detail of the updates with a Microsoft certificate would avoid the necessity of setting up a trust relationship between the client and WSUS server.”
During the Black Hat presentation, the Context researchers also raised concerns about third-party drivers installed via Windows update. There are over 25,000 potential USB drivers that can be downloaded – although this list includes many duplicates, generic drivers and obsolete versions.
“We have started to download and investigate some 2,284 third-party drivers,” said Stone. “Our concern is that when plugging in a USB device, some of these drivers may have vulnerabilities that could be exploited for malicious purposes. Everyone is familiar with the ‘searching for Drivers’ and ‘Windows Update’ dialog boxes on their desktops – but these seemingly innocuous windows may be hiding some serious threats.”
A detailed paper to accompany the Black Hat presentation entitled ‘Compromising the Windows Enterprise via Windows Update’ can be downloaded at: http://www.contextis.com/news/new-paper-released-compromising-windows-enterprise/