TDR AD Helper Credential Disclosure Vulnerability
Good morning TDR Users,
On 11 March 2020, a pen testing company, RedTeam PenTesting GMBH, disclosed a credential disclosure vulnerability in the AD Helper to exploit-db.com (link below). The disclosure states that by accessing the AD Helper web interface, a call to an API endpoint is made which responds with plaintext credentials to all configured domain controllers.
On 9 March 2020, WatchGuard released a fix for this vulnerability in AD Helper 220.127.116.1117. In this version, the offending REST endpoint no longer returns plaintext passwords. In addition, the service running the configuration UI will only be available locally through the loopback IP address (Localhost/127.0.0.1). This means that users must log in to the computer locally to access the AD Helper Configuration UI.
Please make sure your AD Helper is up-to-date and runs version 18.104.22.16817 or higher. If your AD Helper runs a lower version and cannot auto-update, you must manually update your AD Helper. If your AD Helper cannot communicate with TDR or cannot auto-update, please follow the steps at: https://watchguardsupport.secure.force.com/publicKB?type=Known%20Issues&SFDCID=kA10H000000g4mPSAQ
Additionally, if you are unable to update the AD Helper immediately, you can use firewall rules to minimize the exposure of the AD Helper to external networks, which would limit the scope of the vulnerability. While it is still a serious vulnerability, and you will want to patch quickly, most internet-based attackers should not be able to reach this web interface unless you allowed it via your firewall.
WatchGuard greatly appreciates members of the security community who find and responsibly disclose vulnerabilities in our products so that we can correct them and make our products as secure as possible. We thank RedTeam PenTesting GMBH for responsibly bringing this to our attention.
The TDR PM Team
Exploit-DB Link: https://www.exploit-db.com/exploits/48203