Default Configuration on Windows Server Update Services Puts Companies at Risk, Researchers Warn

Companies that rely on default configurations for Windows Server Update Services to manage and distribute updates to endpoints in the corporate environment could be vulnerable to cyberattacks.

Both Windows Update and WSUS could be vulnerable to man-in-the-middle attacks, enabling attackers to infiltrate corporate networks, because of default WSUS deployment settings that do not enable SSL.

“WSUS deployments that are not configured to use SSL are vulnerable to man-in-the-middle attacks,” reads the research paper. “A network-based attacker can use ARP spoofing or WPAD injection attacks to intercept and modify the SOAP requests between clients and the WSUS server, and perform the metadata tampering described above.”

Although the Windows Server 2013 configuration wizard advises IT administrators to use SSL across Update Services, the two Contextis researchers – Paul Stone and Alex Chapman – believe many companies use default – no SSL – WSUS settings.

Although Microsoft-signed updates cannot be modified by an attacker, he can modify the update metadata or create fake updates and deliver them to clients. In their proof-of-concept, the researchers injected an update that uses the PsExec SysInternals utility – signed by Microsoft CA – to run arbitrary commands.

“The PsExec SysInternals utility, which is normally used to run commands on remote systems can also be used to run commands as the current user,” according to the research. “By injecting an update that uses PsExec, the update XML can specify any arguments for PsExec, therefore allowing the attacker to run arbitrary commands.”

Chapman says a simple mitigation for this type of attack would involve using a separate signing certificate for Windows Update, plugging the man-in-the-middle scenario. IT administrators who have WSUS deployments with default settings are strongly encouraged to make the changes to avoid security incidents following this research.