Windows Server Update Services open to attack

Hackers could subvert Windows Update to install malware in organisations

Windows Server Update Services open to attack
Windows Server Update Services open to attack

Security researchers have discovered a way for hackers to exploit insecurely configured enterprise implementations of Windows Server Update Services (WSUS).

The problem lies with default settings for WSUS; these use HTTP and not SSL-encrypted HTTPS delivery. According to researchers at Context Information Security, hackers could use low-privileged access rights to set up fake updates that installed automatically.

These updates could potentially download a Trojan or other malware and be used to set up admin access with a false user name and password.  Any Windows computer that fetches updates from a WSUS server using a non-HTTPS URL is vulnerable.

“It's a simple case of a common configuration problem,” said Paul Stone, principal consultant at Context. “While Microsoft does not enforce SSL for WSUS, it presents the option and most companies will go through this extra stage to use HTTPS. But for those that don't it presents an opportunity for an administrator to compromise complete corporate networks in one go.”

The hack was demonstrated at the Black Hat security conference in Las Vegas.

Organisations can quickly find out if they are vulnerable by checking the WSUS group policy settings, while it is possible to check if an individual machine is incorrectly configured by looking at the appropriate registry keys. If the URL does not start with https, then the computer is vulnerable to the injection attack.

While following Microsoft's guidelines to use SSL for WSUS would protect against the attacks, the researchers also said other ‘defence in depth' mitigations could be implemented by Microsoft to protect organisations from this type of attack.

“Using a separate signing certificate for Windows Update would increase protection and the update metadata itself could be signed by Microsoft to prevent tampering,” said Alex Chapman principal consultant at Context.  “Signing the tags that contain the main detail of the updates with a Microsoft certificate would avoid the necessity of setting up a trust relationship between the client and WSUS server.”

The researchers also said there were security risks around third-party drivers installed via Windows update. There are more than 25,000 potential USB drivers that can be downloaded – although this list includes many duplicates, generic drivers and obsolete versions.

“We have started to download and investigate some 2,284 third-party drivers,” said Stone. “Our concern is that when plugging in a USB device, some of these drivers may have vulnerabilities that could be exploited for malicious purposes. Everyone is familiar with the 'searching for Drivers' and ‘Windows Update' dialog boxes on their desktops – but these seemingly innocuous windows may be hiding some serious threats.”

Richard Cassidy, technical director EMEA at Alert Logic told SCMagazineUK.com that the threat is more likely to be exploited through weak proxy security setups for organisations that implement WSUS for Microsoft updates.

“In short this is a code injection threat that is executed through a MiTM attack, given that by default MSFT updates requests from the client using WSUS are not encrypted. Ultimately the threat relies on many factors being present from poorly controlled user privilege settings, unencrypted WSUS implementation in the enterprise (which is fairly simple to setup) and seems to rely on third party driver updates as the main vector for malware application infection,” he said.

He added that that the moving parts required to successfully exploit target systems using WSUS implementations makes this threat vector more difficult to exploit and, as such, it's questionable as to how popular it will be as an attack tool by most cyber-criminal groups and threat actors.

“It certainly does highlight, however, that by following best practices in user privileges and SSL implementation for WSUS, we can effectively thwart MiTM and software package installations that would be required to see this exploit successfully run,” added Cassidy.

Gavin Millard, technical director at Tenable Network Security told SCMagazineUK.com that by default, the integrity of files to be installed by WSUS are checked for validity and integrity but the commands the update runs at the point of install aren't.

“Couple this with the fact SSL isn't enabled by default on WSUS, it could enable a motivated attack to craft and insert an update which includes a valid Microsoft executable but contains a nefarious command line option to execute an external script - leading to privilege escalation and malicious code execution,” he said.

“Simply put, if you haven't enabled SSL on WSUS, this should be implemented now to ensure the updates delivered by Microsoft are actually by Microsoft rather than an attacker who has interfered with the communication path for their own gains.”

Espion trainer Sean Hanna told SCMagazineUK.com that the likelihood of an attack depends on the security “posture” of the network.

“Let's makes something crystal clear – there's no excuse for this one, it's all down to correct configuration,” said Hanna. “Organisations can quickly find out if they are vulnerable by checking the WSUS group policy settings, while it is possible to check if an individual machine is incorrectly configured by looking at the appropriate registry keys. If the URL does not start with https, then the computer is vulnerable to the injection attack.”

He said he believes in ITIL based configuration, release and change management based on a comprehensive Policy and Procedure-driven Risk-based security approach. “If the WSUS server was installed according to best practice, this one's a non-starter. Even if yours isn't, a strong defence-in-depth approach offers a good compensating control – the hacker needs access to your internal network, they need to perform network reconnaissance, they need to bypass your anti-virus,” said Hanna.