Improper setup of User-ID can lead to external attacks

Oct 21, 2014 15:29 GMT  ·  By

Wrong configuration of the User-ID control module in Palo Alto Networks firewall for enterprises could lead to user credentials falling in the hands of an attacker, who can access customer services from an external network.

The issue derives from the fact that the User-ID feature is supposed to be limited to internal resources that are trusted in the organization, but some users enable it on external/untrusted zones.

Password hashes can be leveraged by external attackers

HD Moore, chief research officer at Rapid 7, pointed the issue to Palo Alto Networks after noticing that scanning a misconfigured Palo Alto Networks (PAN) device, authentication attempts from User-ID would be received.

“A number of PAN customers have enabled Client Probing and Host Probing within the User-ID settings, but have not limited these probes to trusted zones or the internal IP space of the organization. As a result, an external attacker can trigger a security event on the PAN appliance, resulting in an outbound SMB connection from User-ID to the attacker's IP address,” Moore writes in an advisory.

The result of this is capturing the username, domain name and the encrypted password hash (in NetNTLM format) for the account assigned to the respective user, exposing organizations to a remote compromise.

According to the researcher, an attacker could attempt to authenticate to other Internet-facing services that accept NTLMSSP (NT LAN Manager Security Support Provider) authentication from connections outside the enterprise. This includes access to services such as VPN, Outlook Web Access and Microsoft IIS web servers.

NTLMSSP is a binary messaging protocol used in Windows ecosystem for facilitating NTLM challenge-response authentication and for the negotiation of the integrity and confidentiality options.

Admins directed to guide for secure setup of User-ID feature

“The issue of Windows account exposure through automated services is well-known and applies to almost every systems management product and utility in the Windows ecosystem. The PAN User-ID misconfiguration can present a serious exposure depending on the privileges granted to the service account assigned to User-ID,” the researcher said.

HD Moore started to notice signs of suspicious activity in July, and after getting to the root of the problem, he disclosed it privately to Palo Alto Networks.

The company issued an advisory of its own regarding the misconfiguration of the User-ID setting in its devices, recommending network administrators to restrict the feature to the internal infrastructure in order to mitigate the risk of leaking user credentials.

Furthermore, administrators are pointed to a set of best practices for securing User-ID deployments.

Palo Alto Networks provides network security products, mainly firewalls that increase visibility across the infrastructure and offer granular control of network activity.