Lane Thames, Security Research and Software Development Engineer at Tripwire says encryption was the key to this attack scenario and it could pose a big problem for corporations.
Lane Thames, Security Research and Software Development Engineer at Tripwire :
“Man-in-the-middle (MiTM) attacks are very dangerous. Often, MiTM attacks require the attacker to reside on the same network in between source and destination machines. That appears to be the case with the MiTM attack described by Paul Stone and Alex Chapmanat Black Hat. Their attack scenario targets organizations that use WSUS servers to update their servers and desktops. The key to this attack scenario is weak or no encryption. Particularly, Stoneand Chapman show that WSUS servers not using proper encryption techniques are susceptible to malware injection attacks.
My biggest concern with their finding is the possible impact the attack scenario could have. The impact could be very large because many organizations have poorly configured encryption services on their Windows servers. In a recent study, we reviewed vulnerability scan data collected between the years 2011 and 2015 for Windows Server 2003. When ranking Windows Server 2003 vulnerability scan data into a list of the top 50 most observed vulnerabilities, the study’s results showed that approximately 25% of Windows Server 2003 vulnerabilities were related to SSL, TLS, and weak encryption.
Although the study was focused on Windows Server 2003, the results are indicative to a system administration trend as much as a trend for Server 2003—meaning that these results are similar to other Windows Server platforms. In particular, system administrators have a very hard time correctly configuring encryption services on Windows servers. To change this trend, system administrators will need to: 1) increase their understanding of encryption technology, 2) understand how to properly configure Windows encryption services, and 3) understand how new vulnerabilities associated with encryption technologies impact configuration options for Windows encryption services.”[su_box title=”About Tripwire” style=”noise” box_color=”#336588″]Tripwire, Inc., a global provider of risk-based security and compliance management solutions, today announced Tripwire® Enterprise™ version 8.3 featuring a new, stand-alone Policy Manager™. Tripwire Policy Manager provides the detailed visibility into system configurations critical to minimizing security risks and ensuring compliance.[/su_box]