CVE-2014-6324: Insider Threat and Active Directory
| DevOps |
Microsoft remains a huge force in enterprise IT, both in the data center and more recently as a cloud infrastructure-as-a-service (IaaS) player. Active Directory is the most widely deployed and adopted directory, authentication, and authorization solution with over 95% of global businesses using AD as their system of record.
Over the last three decades, it has become the basis for numerous internal security and compliance controls, and many organizations attempt to meet their regulatory compliance requirements for cybersecurity through a complex mesh of AD groups and policies. However, the recent announcement of a critical flaw in the Kerberos implementation in Active Directory underscores why relying on black box cryptography solutions for privileged user management is not the way forward for next generation infrastructures.
Broadly, we look at Conjur and its cryptographic and token code (which is all open source — you can see some of it at SloSilo on GitHub) as being a stronger alternative. Currently in use by organizations including Netflix, OpenDNS, Rally Software Development, Puppet Labs, and more), all of these companies have adopted Conjur to handle authorization, secrets management and distribution, and regulatory response, and can personally validate that similar vulnerabilities do not exist in the SloSilo code we use.
So, why is Active Directory not the preferred system for these organizations? To understand that, let’s begin by looking more closely at this vulnerability in particular.
In early November, Mitre announced CVE-2014-6324, a critical bug in Microsoft’s domain controller code that allows for a remote elevation of privilege attack, with Windows Server 2008R2 and below noted as being the most vulnerable of systems. A security bulletin has subsequently been released (MS14-068).
In essence, the issue here is architectural; a user who holds valid domain credentials of any kind — for example, a low-level administrator or even a former employee who has not been fully expunged from your network — can forge an important part of the token exchange with the Key Distribution Center (or “KDC”) that runs on Windows domain controller servers. In doing so, these domain users can then obtain arbitrary privileges.
There are three reasons why this is particularly devastating:
- CVE-2014-6324 leaves you vulnerable to insider attacks: This vulnerability creates a significant threat surface for any organization running vulnerable Windows domain controllers, especially where malicious or compromised insiders can exploit the hole, elevate their privileges, and exfiltrate data (or worse);
- Threats from malicious insiders are very common: Based on statistics from the 2013 Ponemon Cost of Cyber Crime Study, malicious insider attacks are among the most costly and common of all cybersecurity risks;
- There is a real and significant cost associated with these kinds of breaches: The average time to resolve an attack is 32 days, with an average cost incurred during this period of $1,035,769, or $32,469 per day
Putting CVE-2014-6324 in Context
First and foremost, if you’ve built your authorization infrastructure on Active Directory, please make sure you have applied MS14-068 to any and all vulnerable machines.
Consider how the announcement of CVE-2014-6324 relates to another recent campaign launched by Microsoft, namely, the purchase of Aorato. Aorato provided an advanced persistent threat detection service and firewall for AD, specifically calling out that “your entire organization is connected to and depends on Active Directory” and is a significant source of vulnerability to advanced cyberattacks for data theft. (While Aorato’s services have been discontinued by Microsoft, we can assume that their technology will eventually be integrated in AD in some fashion.)
Taken more broadly, however, this vulnerability demonstrates the specific risks associated with relying on a single legacy black-box technology for authorization services. Nearly everyone runs AD because it’s an entrenched technology, and serves a number of functions fairly well. However, as you consider the evolution of your security and infrastructure choices going into 2015, hoping that no further bugs are found is not a viable strategy.