R7-2014-16: Palo Alto Networks User-ID Credential Exposure

Blog Post created by hdmoore on Oct 14, 2014

Project Sonar tends to identify unexpected issues, especially with regards to network security products. In July of this year, we began to notice a flood of incoming SMB connections every time we launched the VxWorks WDBRPC scan. To diagnose the issue, we ran the Metasploit SMB Capture module on one of our scanning nodes and collected the results. After reviewing the data, we realized a common trend in the usernames of the incoming SMB connections.


After some digging, we traced this back to the Palo Alto Networks (PAN) User-ID feature, an optional component provided by PAN that "gives network administrators granular controls over what various users are allowed to do when filtered by a Palo Alto Networks Next-Generation Firewall ". We contacted PAN and they confirmed that some of their customers must have misconfigured User-ID to enable the feature on external/untrusted zones. In summary, every time we triggered a PAN filter on a misconfigured appliance, our scanning node would receive an inbound authentication attempt by User-ID. This issue is not a vulnerability in the typical sense, but we felt that the impact was significant enough that it required notification and public disclosure.


A number of PAN customers have enabled Client Probing and Host Probing within the User-ID settings, but have not limited these probes to trusted zones or the internal IP space of the organization. As a result, an external attacker can trigger a security event on the PAN appliance, resulting in an outbound SMB connection from User-ID to the attacker's IP address.


This in turn allows an attacker to obtain the username, domain name, and encrypted password hash (typically in NetNTLM format) of the account that User-ID is configured to use. Since this feature requires privileged rights, the encrypted password hash is a serious concern and can expose the organization to a remote compromise.


In addition to simply capturing the authentication details from the User-ID probe, the attacker could use off-the-shelf tools to relay the authentication back to any external-facing customer asset that accepts NTLMSSP authentication from the external network. Common examples include SSL VPNs, Outlook Web Access, and Microsoft IIS web servers.


The issue of Windows account exposure through automated services is well-known and applies to almost every systems management product and utility in the Windows ecosystem. The PAN User-ID misconfiguration can present a serious exposure depending on the privileges granted to the service account assigned to User-ID. The same issue applies to thousands of products that perform automated authentication within the Windows ecosystem and we have observed the same misconfiguration in similar products. A correctly configured User-ID will still attempt to authenticate to internal hosts when Client Probing or Host Probing are enabled.


It is possible to configure service accounts and the network in a way that mitigates the impact of NTLM relay and password hash cracking attacks. For more information on hardening Windows service accounts, please see the Mitigating Service Account Credential Theft on Windows whitepaper.


Palo Alto Networks has released an advisory to track this issue. PAN customers should review the Best Practices for Securing User-ID Deployments document and immediately restrict User-ID to trusted zones or at least the IP ranges of trusted networks. We also recommend that customers review the Windows Service Account Credentials white paper, with an emphasis on hardening NTLM and blocking egress traffic on TCP ports 135, 139, and 445. This document also goes into methods that can be used to detect the use of stolen accounts, something that Rapid7 UserInsight customers can take advantage of today.