Misconfigured User Identification Tool Reveals Credentials
Palo Alto Networks recently released a security advisory for their customers about a new potential threat to their credentials due to the misconfiguration of a certain feature that integrates with PAN’s next-generation firewalls. Rapid 7 discovered and reported on the issue in their blog, R7-2014-16: Palo Alto Networks User-ID Credential Exposure.
PAN’s user identification technology, User-ID is a type of administrative logging and reporting tool that helps you better profile users by mapping a user’s identity with their IP address as well as application and authentication activity.
While convenient to have this level of visibility for granular logging, reporting and policy control, if misconfigured by an administrator, it can result in the exposure of the credentials of the User-ID’s (typically administrative) account to an external attacker.
How? If administrators configure the tool to enable WMI (Windows Management Instrumentation) probing on external or untrusted zones, then an external attacker can trigger a security event on a PAN appliance. That, in effect, triggers communication from the User-ID tool to the attacker’s IP address, which allows an attacker to get the username, domain name and encrypted password hash associated with the User-ID account.
WMI probing is a Microsoft feature that collects user information from Windows hosts, and contains a username and encrypted password hash of the account configured with the feature for auth purposes. The feature is used by many networking and network security devices, according to PAN. And unfortunately, it can also be exploited when configured to allow probing and communication with external zones, as can be seen in this situation.
Dartware.com offers more information on WMI probes and the type of queries/data they might request, from information about logged-on users to information about installed software on targeted hosts.
Those types of WMI probes/queries are given the names client probing and host probing by PAN, as associated with their User-ID product. PAN defines client probing as a way to actively probe Microsoft Windows clients on your network about logged-in users, letting you identify laptop users that switch between wired and wireless networks. And host probing lets you probe Microsoft Windows servers for all active network sessions of a users, letting you identify a user by their IP address when they access a network shared on an organization’s server.
Configuring WMI probing correctly with User-ID can help administrators avoid this potential security problem. A document provided by PAN, Best Practices for Securing User-ID Deployments recommends only enabling User-ID and WMI probing on internal and trusted zones, or, effectively disabling WMI probing if your organization doesn’t plan to use it.
The basic takeaway is, if you’re going to use a security device, use it correctly and limit its communication outside your network, or there can be consequences - which should be a given, but sometimes administrators are unaware of the very real and immediate consequences of misconfiguring certain aspects of the powerful tools they use.
PAN also recommends changing passwords on any service account used for WMI probing, if User-ID was misconfigured in this way, highlighting the fact that regularly rotating service account passwords is a recommended best practice. Of course, configuring two-factor authentication is another best security practice when it comes to protecting administrator-level accounts, in order to keep attackers from accessing your networks armed only with the credentials of a User-ID account.