Security Experts:

Default WSUS Configuration Puts Organizations at Risk: Researchers

Use of SSL Prevents Hackers from Abusing Windows Server Update Services (WSUS)

LAS VEGAS - BLACK HAT USA 2015 - Organizations that fail to configure Windows Server Update Services (WSUS) to use SSL are exposed to cyberattacks, researchers have warned.

In a presentation last week at the Black Hat security conference in Las Vegas, researchers from Context Information Security demonstrated how Windows Update, and particularly WSUS, can be abused in attacks aimed at corporate networks.

WSUS is designed to allow IT administrators to fully manage the distribution of updates to the machines in their organization’s network. WSUS relies on SOAP XML calls to perform updates.

The WSUS configuration wizard in Windows Server 2012 advises users to utilize SSL with the service once the system has been set up. However, since SSL is not enabled by default, experts believe a “significant number” of WSUS deployments don’t use SSL.

The Windows Update feature is designed to accept only packages signed by Microsoft, which prevents attackers from modifying the files without invalidating their signature. However, experts discovered that a malicious actor can modify the update metadata and create fake updates.

Since there is no specific signing certificate for Windows updates, any file signed by a Microsoft certificate authority (CA) is accepted. According to researchers, a man-in-the-middle (MitM) attacker can cause a client to run any Microsoft-signed executable by intercepting and modifying SOAP requests between the client and the WSUS server.

One way to launch attacks is by abusing CommandLineInstallation, an update handler that allows an executable file to be downloaded and run with arbitrary arguments. One signed executable tested by experts is PsExec, a Sysinternals utility designed for executing processes on remote systems.

“By injecting an update that uses PsExec, the update XML can specify any arguments for PsExec, therefore allowing the attacker to run arbitrary commands,” Context wrote in its research paper.

Since PsExec is often abused by malicious actors, some security solutions flag it as a hacking tool, which is why researchers have attempted to find other executables signed by Microsoft that could be used in attacks. One alternative to PsExecu is BgInfo, a Sysinternals utility designed to display information about a device (e.g. name, IP address, service pack version, etc.) on the desktop background.

BgInfo can be configured to display custom fields with the aid of VBScript files. Attackers can use a VBScript file hosted on an unauthenticated Windows share to execute arbitrary commands on a system, Context said.

“It’s a simple case of a common configuration problem,” said Paul Stone, a senior researcher at Context. “While Microsoft does not enforce SSL for WSUS, it presents the option and most companies will go through this extra stage to use HTTPS. But for those that don’t it presents an opportunity for an administrator to compromise complete corporate networks in one go.”

Microsoft is aware of the issue and advises customers to follow best practices in order to protect themselves against potential attacks.

“Security IT professionals can protect against this man-in-the-middle attack by configuring Windows Server Update Services to use Secure Socket Layer (SSL), which is a well-documented best practice. More information about best practices for WSUS security can be found here,” a Microsoft spokesperson told SecurityWeek.

Researchers noted that Microsoft could implement further mitigations to protect users.

“Using a separate signing certificate for Windows Update would increase protection and the update metadata itself could be signed by Microsoft to prevent tampering,” said Alex Chapman, a senior researcher at Context. “Signing the tags that contain the main detail of the updates with a Microsoft certificate would avoid the necessity of setting up a trust relationship between the client and WSUS server.”

In addition to the WSUS security issues, researchers raised concerns about the thousands of third-party USB drivers that can be installed via Windows Update. According to experts, low privileged users could install these drivers, which might be plagued by vulnerabilities that can be exploited for malicious purposes, through the Windows Update service by plugging in a USB device.

view counter
Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.