Security vendor Fortra announced on Friday what it is describing as a Microsoft security hole that would allow an attacker who had stolen low-level access credentials to escalate them to high-level access.
Privilege escalation is hardly a new issue, but it is a critical tool in an attacker’s arsenal. Privilege escalation is also a routine part of the administrator’s day, but when an attacker can escalate privileges without an admin being alerted, that can be a disaster. That seems to be the essence of the hole that Fortra is trying to flag.
Microsoft acknowledges the capability, but considers it a convenience issue, as admins need to have the ability to escalate credentials to complete various tasks, Fortra said.
Microsoft emailed a short statement to CSO: “We are aware of Fortra’s report and have investigated its claims. As their report caveats, the method requires membership in the Administrator group, so the so-called technique is just leveraging an intended permission or privilege which does not cross a security boundary.”
From Fortra’s perspective, the problem is not as much the privilege escalation, which can certainly happen within the normal course of business, but that this situation “allows higher privilege code execution without any of the checks and balances that are normally in place” and that “this removes a safety net that many Administrators rely on (User Account Control/UAC) and introduces the risk of high integrity code execution,” said Tyler Reguly, associate director, security R&D at Fortra. The company provided a detailed technical description of the issue in a blog post.
From that perspective, the issue is mostly about UAC bypasses rather than what is enabled by those bypasses.
This is where things get tricky. Reguly argued that this amounts to a security hole.
“With the proof-of-concept provided, we’re performing the action of launching an elevated command prompt. This could be done by an administrator, but they’d get a UAC prompt. Instead, we’re using a malicious technique, and you don’t get a UAC prompt,” Reguly said. “If UAC is a security feature and we’re running something that would normally require a UAC prompt without one, that sounds to me like a security feature bypass. Microsoft, traditionally, has fixed security feature bypasses, but, in this case, because of the wording of the Microsoft Security Servicing Criteria for Windows, they are not.”
That last line is indeed the thrust of the Microsoft argument. In their Security Service Criteria for Windows, Microsoft says “Administrative processes and users are considered part of the Trusted Computing Base (TCB) for Windows and are therefore not strongly isolated from the kernel boundary. Administrators are in control of the security of a device and can disable security features, uninstall security updates, and perform other actions that make kernel isolation ineffective. This includes actions which require Administrator permissions like registry tampering with HKEY_LOCAL_MACHINE and any attack where the attacker has Local or Domain Administrator access.”
It is not quite the “it’s a feature, not a bug” argument, but it gets close.
Security specialists generally sided with Microsoft on this one.
Selim Aissi spent six years as the CISO at Ellie Mae, following stints as VP global information security at Visa, and chief security strategist for Intel. Aissi, who reviewed the Fortra documents at CSO’s request, said, “I honestly don’t think it’s a big deal.”
“The first stage (UAC bypass) has been reported in the past and is a known issue. The second stage of the theoretical attack is only related to admins, who already have the ability — if they turned rogue — to potentially do a lot more damage than reported in this case,” Aissi said. “I don’t see the ease of this claimed privilege escalation If I’m an attacker, I’d rather use a new vulnerability or unpatched zero-day to perform privilege escalation.”
Steve Zalewski, longtime CISO for Levi Strauss until 2021, when he became a cybersecurity consultant, also reviewed the Fortra material.
“It is not a security hole, so I happen to agree with Microsoft on this one. The underlying logic that Fortra uses to justify calling it a hole just does not stand up to my reasonableness sniff test,” Zalewski said. “At best, it is a feature request that you have UAC provide more granularity in the types of authorization requests that will trigger the second factor of authentication. The downside to doing this is that you will get so many alerts that it effectively prevents you from doing any work.”
Zalewski said that Fortra “used the phrase ‘malicious technique,’ which is not accurate. There is nothing malicious about using the functionality as described. They are asserting that, because it can be used for malicious purposes, it must be a security issue that has to be addressed. They confuse the issue by declaring that if you use an alternate method where UAC does require verification, then it must follow that all equivalent functionality must use the same security verification. So their actual argument is that Microsoft erred in only partially implementing the security policy. Those are two different situations, not a logical conclusion between the situations.”