Vulnerability Management

Bug allows attackers to hijack Windows time sync software used to track security incidents

The authors of a study comparing different commercial EDR products told SC Media they are re-testing after learning that they mistakenly tested five vendors’ endpoint protection platforms instead of their EDR systems. (Photo by Drew Angerer/Getty Images)

Researchers at GRIMM on Tuesday said they found a remote code execution (RCE) vulnerability that can let attackers hijack the update process of a popular Windows time synchronization software product – Greyware’s Domain Time II – by exploiting a man-on-the-side (MotS) vulnerability.

Domain Time II ensures accurate time across an entire network, using various sources such as GPS clocks and Internet time servers, which then match the system clock with extreme accuracy.

Adam Nichols, principal of software security at GRIMM, said security pros should take note because any disruption to the time synchronization software could make it virtually impossible to track a security incident – and any sequence of events that are important to the business or regulators.

“Time synchronization does not only apply to security events,” Nichols added. “Financial transactions could potentially be recorded in a different order. Time synchronization is often also a compliance issue. For example, many organizations in the financial sector are required to maintain time synchronization in certain environments and may face regulatory fines if they fail to do so.”

So while a man-in-the-middle (MitM) attack lets hackers read and modify network traffic between two endpoints, a MotS attack only lets the attacker read that traffic. These MotS are still dangerous, said Nichols, because attackers can insert malware into the update process.

“An attacker can trick a user into downloading and executing an attacker-controlled payload under the guise of a routine software update,” Nichols said. “Since the attack is performed in the context of a MotS, the attacker cannot manipulate the data exchanged between a local install and the update server. However, the attacker can send out their own responses and ‘race’ the legitimate traffic. If the attacker wins the ‘race,’ the local install will open a browser window and drive it to a URL supplied by the attacker.”

In a blog post, the researchers said the vulnerability was discovered through GRIMM’s Private Vulnerability Disclosure (PVD) program. Domain Time II typically gets installed on domain controllers and every endpoint. A patch was released by Greyware on March 31.

Greyware’s customers include many top companies and important government agencies. The list runs from NASDAQ, Finra, Dow Jones, London Stock Exchange, Barclay’s, Blue Cross, Citi, Credit Suisse and JP Morgan Chase to defense and aerospace giants Lockheed Martin, General Dynamics and Northrop Grumman. Government agency customers include the Army and Navy, the Federal Aviation Administration, and the U.S. Treasury.

At first blush, this vulnerability and the affected software might sound like something to attend to when the team has time and free resources, said Dirk Schrader, global vice president, security research at New Net Technologies.

“The fact is that without proper time sync across all devices in a given infrastructure, any correlation between individual events to track down an incident is impossible,” Schrader said. “Working time sync is one of those essential things that need to be in place and maintained to enable a cyber security workflow. In this case, it’s even worse as the exploit allows for download and execution of malicious files. This combination, the ability to manipulate the time sync in parallel to installing – for example – a backdoor, isn’t something sysadmins will want to happen to the infrastructure they manage.”

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.