by Christopher Duram

The impact of a single vulnerability is often hard for an organization to measure. The results from an automated scanner or a software manufacturer’s security bulletin on a vulnerability may differ wildly from its actual impact. This leaves organizations scrambling as “Patch Tuesday” (an unofficial term for when Microsoft® and others regularly release software patches) arrives and they attempt to patch everything. Other organizations choose to focus exclusively on critical or high vulnerabilities discovered by their vulnerability scanner, leaving lower-ranking vulnerabilities ignored.

It is understandable that companies would focus on vulnerabilities that their managed service provider or vulnerability scanner have flagged as critical. These should be patched. However, what about the lower-ranking vulnerabilities that have also been identified? What should be done? Depending on the vulnerability and where it is within your organization’s network or web application, it may be minor, or it may be critical in nature.

One of the most important reasons to ensure vulnerabilities are discovered and patched at all levels is to prevent vulnerability chaining. This occurs when an attacker combines vulnerabilities to achieve a goal that is not possible with one vulnerability alone. A common example seen on Network Penetration Testing engagements is disabled or unenforced Server Message Block (SMB) signing (SMB signing helps secure communications and data across networks). One of the most popular vulnerability scanning tools labels this vulnerability as medium in severity. Because of its severity level and because Microsoft has it unenforced by default, it is often left in an unenforced state, and companies are left unprotected from man-in-the-middle attacks. In a recent internal penetration testing engagement, the Elliott Davis Penetration Testing team leveraged unenforced SMB signing to gain an initial foothold within a client’s environment. From that foothold, the team was able to eventually access domain admin credentials and dump password hashes. The Penetration Testing team accessed numerous passwords due to a weak Active Directory password policy (another vulnerability). From this point, the team had access to web mail and other web portals due to the lack of multi-factor authentication (yet another vulnerability).

Another example is the well-known vulnerability in Apache’s Log4j software library or “Log4Shell”. Log4Shell’s product VMware Horizon had a known vulnerability. VMware Horizon often sits on the edge of a company’s network. A cybercriminal who can compromise a VMware Horizon server may gain access to other systems through a technique known as pivoting (connecting from one compromised system to another on the same IT network). The vulnerability allowed the reuse of local administrator passwords that could be chained and pivoted. 

The Elliott Davis team identified this scenario during a recent penetration test. Once access was gained to a VMware Horizon server, local password hashes from the server were also available. The team discovered those local password hashes were reused on other IT systems. During this assessment, the final vulnerability that could be chained for full network compromise was the use of unencrypted Lightweight Directory Access Protocol (LDAP). The Penetration Testing team identified the ability to reuse the administrator password to access a Windows server. This server was running a service that used a domain administrator username and password to communicate with a domain controller over unencrypted LDAP. The Penetration Testing team discovered the domain administrator password used by the service in captured network packets directly on the server. The administrator password was clearly visible due to the lack of encryption.

We Can Help

Attackers are often successful due to creative vulnerability chaining for maximum impact. A penetration test can discover multiple avenues that may lead to the overall compromise of a network. We take the time to discover those paths and provide an attack diagram for our clients that outlines the different avenues and how each vulnerability contributes to an attack. Our goal is to help organizations identify issues and assist with remediation before cybercriminals attempt a compromise. For more information on how Elliott Davis can help your organization, contact a member of the Elliott Davis Penetration Testing team.

The information provided in this communication is of a general nature and should not be considered professional advice. You should not act upon the information provided without obtaining specific professional advice. The information above is subject to change.