It only happens if sys admins forget to turn on SSL for WSUS

Aug 7, 2015 14:33 GMT  ·  By

Security experts from Context, an independent cyber-security firm, have discovered a way to breach the Windows Server operating system using its built-in update service (WSUS).

Presenting their findings at the Black Hat USA 2015 conference in Las Vegas, senior researchers Alex Chapman and Paul Stone have demonstrated how an improperly configured Windows Server Update Service can be abused by an attacker and deliver malicious updates to the computers connected to an internal enterprise network.

Forgetting to turn on SSL for Windows Server Update Service is the main problem

The Windows Server Update Service, or in short WSUS, is a simple proxy that fetches official Microsoft updates and stores them locally, allowing a company's system administrators to control when and how they're delivered to the company's PC.

This gives enterprises more control over their internal PC architecture, but because some administrators forget to enable SSL support for WSUS, it also puts the entire network at risk.

According to the research paper, "by re-purposing existing Microsoft-signed binaries, we were able demonstrate that an attacker can inject malicious updates in order to execute arbitrary commands."

Local access to the Windows Server's network is needed

This was done by modifying update metadata and by creating fake updates for the WSUS clients to install.

For these types of fake updates to be delivered, an attacker would need access to the internal network, where using a local computer as an intermediary, they could perform a man-in-the-middle attack, tampering with the metadata, and subsequently delivering their desired payload.

Fixing this issue, according to researchers, is as easy as adding SSL to WSUS, but they also issue other recommendations, which Microsoft can implement.

These include signing update metadata to avoid tampering, and using a separate signing certificate for Windows Update, different from the normal Microsoft signature, used for many other software products, like the PsExec SysInternals tool used to compromise WSUS in their research.