Check - PCs could be at risk with Bitlocker if they remain unpatched

Synopsys' security analyst Ian Haken says that un-patched PCs in businesses are at risk of having user accounts compromised and Bitlocker bypassed in an attack he describes as trivial to perform.
The attack vector in question, sealed off in the latest round of Microsoft security update patches with bulletin MS15-122 affects those Windows machines that are part of network domains, notably those in enterprise environments.
But only sadistic sysadmins whose users suffer having to enter pre-boot passwords are immune, Haken says.
Haken says that attackers with access to a lost or stolen laptop can spoof the relevant network domain, to set up a fake user account which matches the username for the victim's computer.
The fake account would need to be set up with a creation date in the past. The password set does not matter, however.
Once the victim machine connects to the spoofed domain, Windows will throw a password reset prompt that will change the credentials in the computer's local cache.
The laptop could then be disconnected from the spoofed domain and accessed using the changed credentials.
Haken says in the whitepaper Bypassing Local Windows Authentication to Defeat Full Disk presented at BlackHat Europe the attack is not foiled by Microsoft's Trusted Platform Module.
Here's a sample of his thinking-- The domain controller is remote, and since the attacker has physical control of the machine, the hacker also has control of network communication and can direct communications to an attacker-controlled mock domain controller.
Since a personal computer with passwordless BitLocker will transparently retrieve the decryption key and boot to the Windows login screen, Windows authentication becomes the attack surface for defeating BitLocker. It's a bit of a 'catch-22' situation.
There is no easy fix without Microsoft's patch, however. Those system admins who do not or cannot apply the security patches can still disable local credential caching, but that means users cannot login offline.
Source: Synopsys Internet Security.

Post a Comment