During BlackHat Europe 2015 in Amsterdam, last week, Ian Haken, a security researcher at Synopsis, presented a session titled Bypassing Local Windows Authentication to Defeat Full Disk Encryption. The accompanying Research paper (PDF) detailed an ‘evil maid’ attack vector specifically targeting BitLocker Drive Encryption. The most interesting part of the session was the way Ian utilized a vulnerability to bypass the logon screen of recent Windows versions; A vulnerability patched by Microsoft on November 10, 2015.
In situations where the Windows logon screen of a domain-joined device is the only obstacle, it can be bypassed, utilizing a vulnerability in the Kerberos protocol and the cached credentials functionality in Windows.
The Kerberos protocol describes how authentication works, but also how password changes may occur. This latter part is described in RFC3244.
The attack requires setting up a mock Active Directory Domain Controller with the target user account’s password set as expired.
When performing this attack, the attacker could retrieve the domain and username from network traﬃc (both will show up in plaintext as part of DNS/Kerberos protocols) or just by reading both names oﬀ of the login screen on the target device. The next step is to connect the target machine to the network where the mock Domain Controller advertises its presence. Once connected, the attacker logs in to the target machine using the password speciﬁed when setting up the domain user account. Because the password is considered expired, the target machine will prompt the attacker to set a new password (which the attacker will set to an arbitrary, attacker-known value). Although the login will still fail (because the machine password on the Domain Controller is absent), the new user password value nonetheless poisons the local credentials cache.
The ﬁnal step is to disable the device’s network connection and login with the new password, which will be validated against the poisoned cache. Once logged in, the attacker now has access to all of the user’s data, such as emails, intellectual property, saved passwords, cached credentials, etc.
The bypass can be exploited only if the device has BitLocker Drive Encryption enabled without a PIN or USB key, the device does not have a boot password in BIOS configured, the device is domain-joined, at least one person has logged on with a domain account before, cached credentials are enabled, and the attacker has physical access to the device.
The security updates accompanying security bulleting MS15-122 resolve the above bypass in Microsoft Windows.
Affected Operating Systems
All Windows and Windows Server Operating Systems currently in support by Microsoft are affected by the vulnerability. Therefore, Microsoft has released a security update to resolve the vulnerability for:
- Windows Vista with Service Pack 2
- Windows Vista x64 with Service Pack 2
- Windows 7 with Service Pack 1
- Windows 7 x64 with Service Pack 1
- Windows 8
- Windows 8 x64
- Windows 8.1
- Windows 8.1 x64
- Windows 10
- Windows 10, x64
- Windows 10 1511
- Windows 10 1511 x64
- Windows Server 2003 with Service Pack 2
- Windows Server 2003 x64 with Service Pack 2
- Windows Server 2003 for Itanium-based Systems with Service Pack 2
- Windows Server 2008 with Service Pack 2
- Windows Server 2008 x64 with Service Pack 2
- Windows Server 2008 for Itanium-based Systems with Service Pack 2
- Windows Server 2008 R2
- Windows Server 2008 R2 for Itanium-based Systems
- Windows Server 2012
- Windows Server 2012 R2
Although Windows RT and Windows RT 8.1 are deemed vulnerable, they cannot be joined to an Active Directory domain, and therefore, strictly, do not need this update.
Updates KB3101246, KB3105213 and KB3105211
Using Windows Update, Windows Server Update Services, System Center Configuration Manager, Intune, or your 3rd party update solution, install the following updates to your domain-joined systems:
- KB3101246 for Windows Vista, Windows 7, Windows 8, Windows 8.1, Windows Server 2008, Windows Server 2008 R2, Windows Server 2012 and Windows Server 2012 R2
- KB3105213 (Cumulative update) for Windows 10
- KB3105211 (Cumulative update) for Windows 10 build 1511
On Windows RT 8.1, Windows 8.1, and Windows Server 2012 R2 update KB2919355 April 2014 Cumulative update needs to be installed.
If you install a language pack after you install this update, you must reinstall this update.
- Customers who intend to manually install all three updates on Windows 7 Service Pack 1 or Windows Server 2008 R2 Service Pack 1 should install the updates in the following order: KB3101246 first, KB3081320 second, and KB3101746 third.
- Customers who intend to manually install all three updates on Windows 8 or Windows Server 2012 should install the updates in the following order: KB3101246 first, KB3101746 second, and KB3081320 third.
A system restart is required after you apply this security update.
A workaround for the immediate attack is to disable cached credentials on domain-joined devices. Use Group Policy to this purpose.
Change the value for Interactive Logon: Number of previous logons to cache (in case domain controller is not available) to 0 under Computer Configuration, Windows Settings, Local Policy, Security Options.
When you set this policy, colleagues using domain-joined devices will not be able to use their devices when these are oﬄine or otherwise disconnected from the corporate network.
Call to action
Microsoft has not identified any mitigating factors and the workaround to disable cached credentials is not a viable one for many organizations, so I urge you to install KB3101246 (or KB3105213/KB3105211) on domain-joined devices in a test environment as soon as possible, assess the risk and possible impact on your production environment and then, roll out this update to domain-joined devices in the production environment.