A critical vulnerability in PDQ Deploy, a software deployment service used by system administrators, has been highlighted in a recent advisory by the CERT Coordination Center (CERT/CC). The flaw, which involves the insecure handling of administrator credentials during deployment processes, exposes organizations to potential lateral movement attacks and broader network compromises.
PDQ Deploy utilizes various “run modes” to deploy software to target devices within a network. One of these modes, the “Deploy User” run mode, creates temporary credentials on target machines during deployment. CERT/CC explains, “These credentials are deleted from the device following a full deployment of a software file, however, an attacker with access to the target device can compromise these credentials prior to deletion through common password tools such as Mimikatz.”
These credentials, if compromised, could allow attackers to gain administrator access to the target device. Moreover, if the compromised credentials are shared across devices in the network through Active Directory, attackers could use them for lateral movement, further compromising other systems.
The deployment process involves multiple steps, from establishing a connection with the target device to removing the service after the software is deployed. “An attacker with access to the device can use a password dumping tool, such as Mimikatz, to dump these credentials during the deployment process,” the advisory notes.
The vulnerability is particularly critical for deployments using domain accounts, as these credentials are static and shared across multiple devices.
If exploited, this vulnerability could result in:
- Administrator Credential Theft: Attackers can extract Deploy User credentials, gaining high-level privileges on compromised devices.
- Lateral Movement: Attackers can move through the network, compromising other devices sharing the same credentials via Active Directory.
- Broader Network Compromise: Exploitation of these credentials can lead to extensive damage, including unauthorized access to sensitive systems and data.
To address this vulnerability, CERT/CC recommends the following measures:
- Use LAPS (Local Administrator Password Solution): This helps mitigate risks by providing unique, regularly updated local administrator passwords for each machine.
- Employ Alternate Deploy Modes: The “Logged on User” deploy mode does not create services with domain/local credentials, thus avoiding this vulnerability. However, this mode is only available in PDQ Deploy Enterprise and requires user input during deployment.
- Review PDQ Deploy Configurations: System administrators should refer to the How-to-Guides on the PDQ Deploy website for best practices and secure configuration guidelines.
Related Posts:
- npm’s Hidden Threat: The Covert Trojan Lurking in Your Windows System
- JFrog Artifactory Vulnerabilities: Patch Now to Protect Your Software Supply Chain
- Android patches take a long time to reach users’ devices, weakening Android security
- Kaspersky Highlights Key Trends in Financial Cybersecurity for 2024